Bug 12907 - pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains with more than 1 hop between server and user realm when using heimdal
pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted dom...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.7.0rc2
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
:
Depends on:
Blocks: 14125 14124
  Show dependency treegraph
 
Reported: 2017-07-14 12:45 UTC by Stefan Metzmacher
Modified: 2019-11-21 14:32 UTC (History)
3 users (show)

See Also:


Attachments
Work in progress for master (33.32 KB, patch)
2019-09-26 06:04 UTC, Stefan Metzmacher
no flags Details
all.keytab (for krb5-without-pac-fake-realm-03.pcap.gz and krb5-with-pac-fake-realm-03.pcap.gz) (110.04 KB, application/octet-stream)
2019-11-21 14:31 UTC, Stefan Metzmacher
no flags Details
krb5-without-pac-fake-realm-03.pcap.gz (2.73 KB, application/gzip)
2019-11-21 14:31 UTC, Stefan Metzmacher
no flags Details
krb5-with-pac-fake-realm-03.pcap.gz (5.14 KB, application/gzip)
2019-11-21 14:32 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-07-14 12:45:09 UTC
I have the following setup:

Member in W4EDOM-L4.BASE
user in S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE
chain:
W4EDOM-L4.BASE
<=Forest-Trust=>
W2012R2-L4.BASE
<=Parent-Child-Trust=>
S1-W2012-L4.W2012R2-L4.BASE
<=Parent-Child-Trust=>
S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE

The ticket for administrator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE
arrives on the member with transited = S1-W2012-L4.W2012R2-L4.BASE,
which was added by the DC of W2012R2-L4.BASE.

The function krb5_check_transited() is called via gss_accept_sec_context()
and fails with KRB5KRB_AP_ERR_ILL_CR_TKT; Which causes krb5_decrypt_ticket()
to fail, in the log file it seems that the provided keytab didn't
have the correct key to decrypt.
Comment 1 Stefan Metzmacher 2019-09-13 12:26:04 UTC
The same problem happens with MIT Kerberos.
Comment 2 Stefan Metzmacher 2019-09-23 22:39:36 UTC
There were a discussion about this in August 2017:
https://lists.samba.org/archive/samba-technical/2017-August/thread.html#122422
Comment 3 Stefan Metzmacher 2019-09-26 06:04:37 UTC
Created attachment 15491 [details]
Work in progress for master
Comment 4 Stefan Metzmacher 2019-11-21 14:29:49 UTC
See also
https://lists.samba.org/archive/samba-technical/2019-November/thread.html#134553
...

> I've used a modified Samba KDC (realm W4EDOM-L4.BASE) to generate
> tickets with invalid names (crealm: FAKEPRINC.PUBLIC)
> and tested the reaction of Windows KDC (realm: W2012R2-L4.BASE) when
> they received such a Ticket over a forest trust, where realm
> FAKRPRINC.PUBLIC is not configure as valid realm (upn-suffix) the for
> the trust boundary.
>
> krb5-without-pac-fake-realm-03.pcap.gz has no PAC in the ticket for
> TGS-REQ in frame 9. The crealm: FAKEPRINC.PUBLIC is rejected with
> ERR_POLICY in frame 10.
>
> krb5-with-pac-fake-realm-03.pcap.gz has a valid PAC (with the correct
> names and signatures) but an altered crealm. This is also rejected with
> ERR_POLICY.
>
> So the policy check are not bound to the PAC, which means we can always
> use GSS_KRB5_CRED_NO_TRANSIT_CHECK_X if we're member of an active
> directory domain.
...

I'll also upload the captures and keytab here too...
Comment 5 Stefan Metzmacher 2019-11-21 14:31:18 UTC
Created attachment 15627 [details]
all.keytab (for krb5-without-pac-fake-realm-03.pcap.gz and krb5-with-pac-fake-realm-03.pcap.gz)
Comment 6 Stefan Metzmacher 2019-11-21 14:31:40 UTC
Created attachment 15628 [details]
krb5-without-pac-fake-realm-03.pcap.gz
Comment 7 Stefan Metzmacher 2019-11-21 14:32:02 UTC
Created attachment 15629 [details]
krb5-with-pac-fake-realm-03.pcap.gz