The Samba-Bugzilla – Attachment 18176 Details for
Bug 15492
Kerberos TGS-REQ with User2User does not work for normal accounts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-19-test
bug-15492-v4.19.patch.txt (text/plain), 8.05 KB, created by
Jule Anger
on 2023-10-25 07:45:37 UTC
(
hide
)
Description:
Patches for v4-19-test
Filename:
MIME Type:
Creator:
Jule Anger
Created:
2023-10-25 07:45:37 UTC
Size:
8.05 KB
patch
obsolete
>From 36a014098101499e701ec0b25ed60f891494aa5f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 11 Oct 2023 15:54:15 +0200 >Subject: [PATCH 1/3] tests/krb5/kdc_tgs_tests: add user2user tests using a > normal user account > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/knownfail.d/krb5_user2user | 1 + > 1 file changed, 1 insertion(+) > create mode 100644 selftest/knownfail.d/krb5_user2user > >diff --git a/selftest/knownfail.d/krb5_user2user b/selftest/knownfail.d/krb5_user2user >new file mode 100644 >index 000000000000..44e2f8d97299 >--- /dev/null >+++ b/selftest/knownfail.d/krb5_user2user >@@ -0,0 +1 @@ >+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req >-- >2.34.1 > > >From 0f64f1ad2118e5f33697bafb3d31c1692b9a6f18 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 16 Oct 2023 12:33:15 +1300 >Subject: [PATCH 2/3] third_party/heimdal kdc: introduce > HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit > a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) > >This allows HDB backends to do special handling for >User2User TGS-REQs. The main reason is to let >the HDB_F_GET_SERVER lookup to succeed even for >non-computer accounts. In Samba these are typically >not returned in HDB_F_GET_SERVER in order to avoid >generating tickets with the user password. > >But for User2User the account password is not used, >so it is safe to return the server entry. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >[abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested] > >(cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6) >--- > third_party/heimdal/kdc/krb5tgs.c | 7 ++++++- > third_party/heimdal/lib/hdb/hdb.h | 1 + > 2 files changed, 7 insertions(+), 1 deletion(-) > >diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c >index 79dbe6622f46..e7f0e1e49dd5 100644 >--- a/third_party/heimdal/kdc/krb5tgs.c >+++ b/third_party/heimdal/kdc/krb5tgs.c >@@ -1380,6 +1380,7 @@ tgs_build_reply(astgs_request_t priv, > > Key *tkey_sign; > int flags = HDB_F_FOR_TGS_REQ; >+ int server_flags; > > int result; > >@@ -1401,6 +1402,10 @@ tgs_build_reply(astgs_request_t priv, > if (b->kdc_options.canonicalize) > flags |= HDB_F_CANON; > >+ server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags; >+ if (b->kdc_options.enc_tkt_in_skey) >+ server_flags |= HDB_F_USER2USER_PRINCIPAL; >+ > if (s == NULL) { > ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; > _kdc_set_const_e_text(priv, "No server in request"); >@@ -1438,7 +1443,7 @@ server_lookup: > _kdc_free_ent(context, serverdb, priv->server); > priv->server = NULL; > ret = _kdc_db_fetch(context, config, priv->server_princ, >- HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags, >+ server_flags, > NULL, &serverdb, &priv->server); > priv->serverdb = serverdb; > if (ret == HDB_ERR_NOT_FOUND_HERE) { >diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h >index 6534766a18cf..bd40e5a57690 100644 >--- a/third_party/heimdal/lib/hdb/hdb.h >+++ b/third_party/heimdal/lib/hdb/hdb.h >@@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; > #define HDB_F_SYNTHETIC_OK 0x10000 /* synthetic principal for PKINIT or GSS preauth OK */ > #define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a normal principal) */ > #define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor ticket */ >+#define HDB_F_USER2USER_PRINCIPAL 0x80000 /* fetch is for the server of a user2user tgs-req */ > > /* hdb_capability_flags */ > #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 >-- >2.34.1 > > >From 0bce532ad0f2f1acaf8fe8a748b0a72fcd357656 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 11 Oct 2023 15:58:22 +0200 >Subject: [PATCH 3/3] s4:kdc: fix user2user tgs-requests for normal user > accounts > >User2User tgs requests use the session key of the additional >ticket instead of the long term keys based on the password. > >In addition User2User also asserts that client and server >are the same account (cecked based on the sid). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224 > >(cherry picked from commit bf79979f847de36db9da9646a396cdfe6b0e1c6f) >--- > selftest/knownfail.d/krb5_user2user | 1 - > source4/kdc/db-glue.c | 30 ++++++++++++++++++++++++++--- > source4/kdc/sdb.h | 4 +++- > 3 files changed, 30 insertions(+), 5 deletions(-) > delete mode 100644 selftest/knownfail.d/krb5_user2user > >diff --git a/selftest/knownfail.d/krb5_user2user b/selftest/knownfail.d/krb5_user2user >deleted file mode 100644 >index 44e2f8d97299..000000000000 >--- a/selftest/knownfail.d/krb5_user2user >+++ /dev/null >@@ -1 +0,0 @@ >-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 5894b47ecd9e..a55f66e94c7f 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -624,6 +624,24 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context, > } > } > >+ if (flags & SDB_F_USER2USER_PRINCIPAL) { >+ /* >+ * User2User uses the session key >+ * from the additional ticket, >+ * so we just provide random keys >+ * here in order to make sure >+ * we never expose the user password >+ * keys. >+ */ >+ ret = samba_kdc_set_random_keys(context, >+ supported_enctypes, >+ &entry->keys); >+ >+ *supported_enctypes_out = supported_enctypes & ENC_ALL_TYPES; >+ >+ goto out; >+ } >+ > if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) > && (userAccountControl & UF_SMARTCARD_REQUIRED)) { > ret = samba_kdc_set_random_keys(context, >@@ -1093,6 +1111,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, > const struct authn_kerberos_client_policy *authn_client_policy = NULL; > const struct authn_server_policy *authn_server_policy = NULL; > int64_t enforced_tgt_lifetime_raw; >+ const bool user2user = (flags & SDB_F_USER2USER_PRINCIPAL); > > ZERO_STRUCTP(entry); > >@@ -1174,12 +1193,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, > */ > entry->flags.force_canonicalize = true; > >- /* Windows 2008 seems to enforce this (very sensible) rule by >+ /* >+ * Windows 2008 seems to enforce this (very sensible) rule by > * default - don't allow offline attacks on a user's password > * by asking for a ticket to them as a service (encrypted with >- * their probably patheticly insecure password) */ >+ * their probably pathetically insecure password) >+ * >+ * But user2user avoids using the keys bases on the password, >+ * so we can allow it. >+ */ > >- if (entry->flags.server >+ if (entry->flags.server && !user2user > && lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) { > if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) { > entry->flags.server = 0; >diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h >index e59d22434fd6..d2fb67bd9e72 100644 >--- a/source4/kdc/sdb.h >+++ b/source4/kdc/sdb.h >@@ -120,6 +120,7 @@ struct sdb_entry { > #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ > #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ > #define SDB_F_ARMOR_PRINCIPAL 262144 /* fetch is for the client of an armor ticket */ >+#define SDB_F_USER2USER_PRINCIPAL 524288/* fetch is for the server of a user2user tgs-req */ > > #define SDB_F_HDB_MASK (SDB_F_DECRYPT | \ > SDB_F_GET_CLIENT| \ >@@ -130,7 +131,8 @@ struct sdb_entry { > SDB_F_KVNO_SPECIFIED | \ > SDB_F_FOR_AS_REQ | \ > SDB_F_FOR_TGS_REQ | \ >- SDB_F_ARMOR_PRINCIPAL) >+ SDB_F_ARMOR_PRINCIPAL| \ >+ SDB_F_USER2USER_PRINCIPAL) > > /* This is not supported by HDB */ > #define SDB_F_FORCE_CANON 16384 /* force canonicalization */ >-- >2.34.1
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 15492
:
18159
| 18176