13131 – S4U2Proxy requests with encrypted authorization-data are rejected by a Samba KDC

Bug 13131 - S4U2Proxy requests with encrypted authorization-data are rejected by a Samba KDC

Summary: S4U2Proxy requests with encrypted authorization-data are rejected by a Samba KDC

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.7.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:	https://gitlab.com/samba-team/samba/-...
Keywords:

Depends on:
Blocks:

Reported:	2017-11-14 14:59 UTC by Stefan Metzmacher
Modified:	2023-06-22 08:08 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Work in progress patches (8.31 KB, patch) 2017-12-13 12:37 UTC, Stefan Metzmacher	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2017-11-14 14:59:56 UTC

Modern Windows versions send encrypted authorization-data a long with
TGS requests.

If this is combined with S4U2Proxy requests a Samba (heimdal based) KDC
is unable to decrypt the authorization data from the client.

Comment 1 Stefan Metzmacher 2017-12-13 12:37:56 UTC

Created attachment 13863 [details]
Work in progress patches

Comment 2 Stefan Metzmacher 2022-03-25 11:14:54 UTC

Comment on attachment 13863 [details]
Work in progress patches

The current pathes are on https://gitlab.com/samba-team/samba/-/merge_requests/2458

Comment 3 Samba QA Contact 2023-06-22 00:23:04 UTC

This bug was referenced in samba master:

489cdefa6ab1bf7bd5cf3ea0ea64c03dc08fa8bd

Comment 4 Stefan Metzmacher 2023-06-22 08:06:32 UTC

Will be fixed in 4.19