Bug 12007 - winbindd makes spurious Kerberos AS requests for root@<realm>
winbindd makes spurious Kerberos AS requests for root@<realm>
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-07-03 20:41 UTC by Uri Simchoni
Modified: 2016-10-12 06:17 UTC (History)
3 users (show)

See Also:

patch for 4.4.next and 4.3.next (4.40 KB, patch)
2016-07-12 04:23 UTC, Uri Simchoni
metze: review+
uri: review? (gd)

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2016-07-03 20:41:56 UTC
* This is verified with Heimdal, not sure the bug exists with MIT Kerberos.

Since the April-2016 security fix, Winbindd makes spurious Kerberos AS requests to root@<realm>.

To reproduce on a member server using bundled Heimdal:
1. restart winbindd
2. start a packet capture
3. open an SMB connection to the server using AD credentials (kerberos or NTLM using an AD user).
4. Stop the packet capture and filter Kerberos packets - AS requests to root@<domain> can be seen before the actual AS requests that obtain a TGT for the purpose of binding an LDAP connection.

This can also be reproduced by running "net ads testjoin". OTOH, when running "net ads join -k" the problem is not reproduced.

The functional effect can be annoying audit logs at the DC.

The root cause seems to be that gensec_gse, the post-security-release ldap bind agent, uses gss_acquire_cred(), and if credentials do not exist (yet), then gss_acquire_cred() generates this AS request for the current user (root in the case of winbindd). I have no idea what good can come out of this AS request - even if the DC did not use pre-authentication, there would be no way to use this TGT, but this is how it works anyway.

In the case of "net ads join -k", the ldap connection gets opened after an SMB connection and the credentials are obtained without this AS request.
Comment 1 Uri Simchoni 2016-07-11 17:55:45 UTC
Based on discussions in samba-technical, it seems like the issue is specific to Heimdal. MIT won't generate an AS request in this case.
Comment 2 Uri Simchoni 2016-07-12 04:23:35 UTC
Created attachment 12269 [details]
patch for 4.4.next and 4.3.next

The patch also applies cleanly to v4-2-next, but I can't see how this would be a security issue, at least in the context of winbindd and the net command. If we issue yet another bugfix 4.2.x release, then this should go in. Otherwise, users, packagers and vendors based on 4.2.x are advised to use this patch to fix Windows DC audit logs complaining on attempts to request a TGT for root@DOMAIN.
Comment 3 Karolin Seeger 2016-08-02 07:22:03 UTC
Pushed to autobuild-v4-[4|3]-test.
Comment 4 Karolin Seeger 2016-08-05 07:39:30 UTC
(In reply to Karolin Seeger from comment #3)
Pushed to both branches.
Closing out bug report.