The Samba-Bugzilla – Bug 12007
winbindd makes spurious Kerberos AS requests for root@<realm>
Last modified: 2016-10-12 06:17:34 UTC
* This is verified with Heimdal, not sure the bug exists with MIT Kerberos.
Since the April-2016 security fix, Winbindd makes spurious Kerberos AS requests to root@<realm>.
To reproduce on a member server using bundled Heimdal:
1. restart winbindd
2. start a packet capture
3. open an SMB connection to the server using AD credentials (kerberos or NTLM using an AD user).
4. Stop the packet capture and filter Kerberos packets - AS requests to root@<domain> can be seen before the actual AS requests that obtain a TGT for the purpose of binding an LDAP connection.
This can also be reproduced by running "net ads testjoin". OTOH, when running "net ads join -k" the problem is not reproduced.
The functional effect can be annoying audit logs at the DC.
The root cause seems to be that gensec_gse, the post-security-release ldap bind agent, uses gss_acquire_cred(), and if credentials do not exist (yet), then gss_acquire_cred() generates this AS request for the current user (root in the case of winbindd). I have no idea what good can come out of this AS request - even if the DC did not use pre-authentication, there would be no way to use this TGT, but this is how it works anyway.
In the case of "net ads join -k", the ldap connection gets opened after an SMB connection and the credentials are obtained without this AS request.
Based on discussions in samba-technical, it seems like the issue is specific to Heimdal. MIT won't generate an AS request in this case.
Created attachment 12269 [details]
patch for 4.4.next and 4.3.next
The patch also applies cleanly to v4-2-next, but I can't see how this would be a security issue, at least in the context of winbindd and the net command. If we issue yet another bugfix 4.2.x release, then this should go in. Otherwise, users, packagers and vendors based on 4.2.x are advised to use this patch to fix Windows DC audit logs complaining on attempts to request a TGT for root@DOMAIN.
Pushed to autobuild-v4-[4|3]-test.
(In reply to Karolin Seeger from comment #3)
Pushed to both branches.
Closing out bug report.