13539 – Samba generates the wrong salt for the trusted domain user account

Bug 13539 - Samba generates the wrong salt for the trusted domain user account

Summary: Samba generates the wrong salt for the trusted domain user account

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.9.0rc1
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-07-19 07:28 UTC by Stefan Metzmacher
Modified:	2018-09-07 07:44 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
Patches for v4-9-test (21.64 KB, patch) 2018-09-05 07:48 UTC, Stefan Metzmacher	metze: review? (ab) metze: review? (abartlet) slow: review+	Details
Patches for v4-8-test (21.66 KB, patch) 2018-09-05 07:49 UTC, Stefan Metzmacher	slow: review+	Details
Patches for v4-7-test (21.70 KB, patch) 2018-09-05 07:49 UTC, Stefan Metzmacher	slow: review+	Details
Patches for v4-8-test (22.65 KB, patch) 2018-09-05 09:11 UTC, Stefan Metzmacher	metze: review? (ab) metze: review? (abartlet) slow: review+	Details
Patches for v4-7-test (22.70 KB, patch) 2018-09-05 09:12 UTC, Stefan Metzmacher	metze: review? (ab) metze: review? (abartlet) slow: review+	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2018-07-19 07:28:44 UTC

The salt principal for the BLA$ user object is wrong.

dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA

dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000

The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.

While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.

Comment 1 Stefan Metzmacher 2018-08-28 14:13:25 UTC

    
    TODO: unit tests: loop over all account types with, loop over names with
    and without upn, with and without '$'. Use 'eXaMpLe.COM' and similar
    names to check the correct upper/lower case result.
    
    TODO: Also verify this against windows...
    A test can create objects via ldap and/or lsa (for trusts)
    then get the object including supplementalCredentials
    via drsuapi (as admin) and check the stored salt.
    We should have similar tests already.

Comment 2 Stefan Metzmacher 2018-09-05 07:48:35 UTC

Created attachment 14479 [details]
Patches for v4-9-test

Comment 3 Stefan Metzmacher 2018-09-05 07:49:20 UTC

Created attachment 14480 [details]
Patches for v4-8-test

Comment 4 Stefan Metzmacher 2018-09-05 07:49:49 UTC

Created attachment 14481 [details]
Patches for v4-7-test

Comment 5 Ralph Böhme 2018-09-05 08:03:10 UTC

Reassigning to Karolin for inclusion in 4.7, 4.8 and 4.9.

Comment 6 Alexander Bokovoy 2018-09-05 08:10:10 UTC

Thank you everyone for getting this change into the releases!

Comment 7 Karolin Seeger 2018-09-05 08:33:13 UTC

(In reply to Ralph Böhme from comment #5)
Pushed to autobuild-v4-{9,8,7}-test.

Comment 8 Karolin Seeger 2018-09-05 08:44:08 UTC

(In reply to Karolin Seeger from comment #7)
Breaks the build in v4-7-test und v4-8-test:

[1566/4223] Compiling lib/util/util_tdb.c
[1567/4223] Compiling lib/krb5_wrap/krb5_samba.c
../lib/krb5_wrap/krb5_samba.c: In function â€˜smb_krb5_salt_principalâ€™:
../lib/krb5_wrap/krb5_samba.c:513:18: error: â€˜UF_TRUST_ACCOUNT_MASKâ€™ undeclared (first use in this function)
  if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
                  ^
../lib/krb5_wrap/krb5_samba.c:513:18: note: each undeclared identifier is reported only once for each function it appears in
Waf: Leaving directory `/memdisk/kseeger/a47/b1529339/samba/bin'
Build failed:  -> task failed (err #1): 
	{task: cc krb5_samba.c -> krb5_samba_1.o}
make: *** [all] Error 1

Comment 9 Stefan Metzmacher 2018-09-05 09:11:18 UTC

Created attachment 14482 [details]
Patches for v4-8-test

commit 8497d2090900b252853278f29a4aaf3bce7515da
libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK

was missing in 4.8 and 4.7

Comment 10 Stefan Metzmacher 2018-09-05 09:12:17 UTC

Created attachment 14483 [details]
Patches for v4-7-test

commit 8497d2090900b252853278f29a4aaf3bce7515da
libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK

was missing in 4.8 and 4.7

Comment 11 Karolin Seeger 2018-09-07 07:44:07 UTC

Pushed to all branches.
Closing out bug report.

Thanks!