Attachment 18176 Details for Bug 15492 – Patches for v4-19-test

[patch] Patches for v4-19-test

bug-15492-v4.19.patch.txt (text/plain), 8.05 KB, created by Jule Anger on 2023-10-25 07:45:37 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jule Anger

Created: 2023-10-25 07:45:37 UTC

Size: 8.05 KB

patch

obsolete

>From 36a014098101499e701ec0b25ed60f891494aa5f Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 11 Oct 2023 15:54:15 +0200
>Subject: [PATCH 1/3] tests/krb5/kdc_tgs_tests: add user2user tests using a
> normal user account
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> selftest/knownfail.d/krb5_user2user | 1 +
> 1 file changed, 1 insertion(+)
> create mode 100644 selftest/knownfail.d/krb5_user2user
>
>diff --git a/selftest/knownfail.d/krb5_user2user b/selftest/knownfail.d/krb5_user2user
>new file mode 100644
>index 000000000000..44e2f8d97299
>--- /dev/null
>+++ b/selftest/knownfail.d/krb5_user2user
>@@ -0,0 +1 @@
>+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req
>-- 
>2.34.1
>
>
>From 0f64f1ad2118e5f33697bafb3d31c1692b9a6f18 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Mon, 16 Oct 2023 12:33:15 +1300
>Subject: [PATCH 2/3] third_party/heimdal kdc: introduce
> HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit
> a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))
>
>This allows HDB backends to do special handling for
>User2User TGS-REQs. The main reason is to let
>the HDB_F_GET_SERVER lookup to succeed even for
>non-computer accounts. In Samba these are typically
>not returned in HDB_F_GET_SERVER in order to avoid
>generating tickets with the user password.
>
>But for User2User the account password is not used,
>so it is safe to return the server entry.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Andrew Bartlett <abartlet@samba.org>
>
>[abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested]
>
>(cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6)
>---
> third_party/heimdal/kdc/krb5tgs.c | 7 ++++++-
> third_party/heimdal/lib/hdb/hdb.h | 1 +
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
>diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c
>index 79dbe6622f46..e7f0e1e49dd5 100644
>--- a/third_party/heimdal/kdc/krb5tgs.c
>+++ b/third_party/heimdal/kdc/krb5tgs.c
>@@ -1380,6 +1380,7 @@ tgs_build_reply(astgs_request_t priv,
> 
>     Key *tkey_sign;
>     int flags = HDB_F_FOR_TGS_REQ;
>+    int server_flags;
> 
>     int result;
> 
>@@ -1401,6 +1402,10 @@ tgs_build_reply(astgs_request_t priv,
>     if (b->kdc_options.canonicalize)
> 	flags |= HDB_F_CANON;
> 
>+    server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags;
>+    if (b->kdc_options.enc_tkt_in_skey)
>+	server_flags |= HDB_F_USER2USER_PRINCIPAL;
>+
>     if (s == NULL) {
> 	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
>         _kdc_set_const_e_text(priv, "No server in request");
>@@ -1438,7 +1443,7 @@ server_lookup:
>         _kdc_free_ent(context, serverdb, priv->server);
>     priv->server = NULL;
>     ret = _kdc_db_fetch(context, config, priv->server_princ,
>-                        HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags,
>+                        server_flags,
> 			NULL, &serverdb, &priv->server);
>     priv->serverdb = serverdb;
>     if (ret == HDB_ERR_NOT_FOUND_HERE) {
>diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h
>index 6534766a18cf..bd40e5a57690 100644
>--- a/third_party/heimdal/lib/hdb/hdb.h
>+++ b/third_party/heimdal/lib/hdb/hdb.h
>@@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
> #define HDB_F_SYNTHETIC_OK	0x10000	/* synthetic principal for PKINIT or GSS preauth OK */
> #define HDB_F_GET_FAST_COOKIE	0x20000	/* fetch the FX-COOKIE key (not a normal principal) */
> #define HDB_F_ARMOR_PRINCIPAL	0x40000	/* fetch is for the client of an armor ticket */
>+#define HDB_F_USER2USER_PRINCIPAL	0x80000	/* fetch is for the server of a user2user tgs-req */
> 
> /* hdb_capability_flags */
> #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
>-- 
>2.34.1
>
>
>From 0bce532ad0f2f1acaf8fe8a748b0a72fcd357656 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 11 Oct 2023 15:58:22 +0200
>Subject: [PATCH 3/3] s4:kdc: fix user2user tgs-requests for normal user
> accounts
>
>User2User tgs requests use the session key of the additional
>ticket instead of the long term keys based on the password.
>
>In addition User2User also asserts that client and server
>are the same account (cecked based on the sid).
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Andrew Bartlett <abartlet@samba.org>
>
>Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
>Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224
>
>(cherry picked from commit bf79979f847de36db9da9646a396cdfe6b0e1c6f)
>---
> selftest/knownfail.d/krb5_user2user |  1 -
> source4/kdc/db-glue.c               | 30 ++++++++++++++++++++++++++---
> source4/kdc/sdb.h                   |  4 +++-
> 3 files changed, 30 insertions(+), 5 deletions(-)
> delete mode 100644 selftest/knownfail.d/krb5_user2user
>
>diff --git a/selftest/knownfail.d/krb5_user2user b/selftest/knownfail.d/krb5_user2user
>deleted file mode 100644
>index 44e2f8d97299..000000000000
>--- a/selftest/knownfail.d/krb5_user2user
>+++ /dev/null
>@@ -1 +0,0 @@
>-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req
>diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
>index 5894b47ecd9e..a55f66e94c7f 100644
>--- a/source4/kdc/db-glue.c
>+++ b/source4/kdc/db-glue.c
>@@ -624,6 +624,24 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
> 		}
> 	}
> 
>+	if (flags & SDB_F_USER2USER_PRINCIPAL) {
>+		/*
>+		 * User2User uses the session key
>+		 * from the additional ticket,
>+		 * so we just provide random keys
>+		 * here in order to make sure
>+		 * we never expose the user password
>+		 * keys.
>+		 */
>+		ret = samba_kdc_set_random_keys(context,
>+						supported_enctypes,
>+						&entry->keys);
>+
>+		*supported_enctypes_out = supported_enctypes & ENC_ALL_TYPES;
>+
>+		goto out;
>+	}
>+
> 	if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT)
> 	    && (userAccountControl & UF_SMARTCARD_REQUIRED)) {
> 		ret = samba_kdc_set_random_keys(context,
>@@ -1093,6 +1111,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
> 	const struct authn_kerberos_client_policy *authn_client_policy = NULL;
> 	const struct authn_server_policy *authn_server_policy = NULL;
> 	int64_t enforced_tgt_lifetime_raw;
>+	const bool user2user = (flags & SDB_F_USER2USER_PRINCIPAL);
> 
> 	ZERO_STRUCTP(entry);
> 
>@@ -1174,12 +1193,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
> 	 */
> 	entry->flags.force_canonicalize = true;
> 
>-	/* Windows 2008 seems to enforce this (very sensible) rule by
>+	/*
>+	 * Windows 2008 seems to enforce this (very sensible) rule by
> 	 * default - don't allow offline attacks on a user's password
> 	 * by asking for a ticket to them as a service (encrypted with
>-	 * their probably patheticly insecure password) */
>+	 * their probably pathetically insecure password)
>+	 *
>+	 * But user2user avoids using the keys bases on the password,
>+	 * so we can allow it.
>+	 */
> 
>-	if (entry->flags.server
>+	if (entry->flags.server && !user2user
> 	    && lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
> 		if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
> 			entry->flags.server = 0;
>diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
>index e59d22434fd6..d2fb67bd9e72 100644
>--- a/source4/kdc/sdb.h
>+++ b/source4/kdc/sdb.h
>@@ -120,6 +120,7 @@ struct sdb_entry {
> #define SDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
> #define SDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
> #define SDB_F_ARMOR_PRINCIPAL 262144	/* fetch is for the client of an armor ticket */
>+#define SDB_F_USER2USER_PRINCIPAL 524288/* fetch is for the server of a user2user tgs-req */
> 
> #define SDB_F_HDB_MASK		(SDB_F_DECRYPT | \
> 				 SDB_F_GET_CLIENT| \
>@@ -130,7 +131,8 @@ struct sdb_entry {
> 				 SDB_F_KVNO_SPECIFIED | \
> 				 SDB_F_FOR_AS_REQ | \
> 				 SDB_F_FOR_TGS_REQ | \
>-				 SDB_F_ARMOR_PRINCIPAL)
>+				 SDB_F_ARMOR_PRINCIPAL| \
>+				 SDB_F_USER2USER_PRINCIPAL)
> 
> /* This is not supported by HDB */
> #define SDB_F_FORCE_CANON	16384	/* force canonicalization */
>-- 
>2.34.1

Flags:

metze: review+

Actions: View

Attachments on bug 15492: 18159 | 18176