Bug 13539 - Samba generates the wrong salt for the trusted domain user account
Samba generates the wrong salt for the trusted domain user account
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.9.0rc1
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-19 07:28 UTC by Stefan Metzmacher
Modified: 2018-09-07 07:44 UTC (History)
6 users (show)

See Also:


Attachments
Patches for v4-9-test (21.64 KB, patch)
2018-09-05 07:48 UTC, Stefan Metzmacher
metze: review? (ab)
metze: review? (abartlet)
slow: review+
Details
Patches for v4-8-test (21.66 KB, patch)
2018-09-05 07:49 UTC, Stefan Metzmacher
slow: review+
Details
Patches for v4-7-test (21.70 KB, patch)
2018-09-05 07:49 UTC, Stefan Metzmacher
slow: review+
Details
Patches for v4-8-test (22.65 KB, patch)
2018-09-05 09:11 UTC, Stefan Metzmacher
metze: review? (ab)
metze: review? (abartlet)
slow: review+
Details
Patches for v4-7-test (22.70 KB, patch)
2018-09-05 09:12 UTC, Stefan Metzmacher
metze: review? (ab)
metze: review? (abartlet)
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2018-07-19 07:28:44 UTC
The salt principal for the BLA$ user object is wrong.

dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA

dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000

The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.

While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.
Comment 1 Stefan Metzmacher 2018-08-28 14:13:25 UTC
    
    TODO: unit tests: loop over all account types with, loop over names with
    and without upn, with and without '$'. Use 'eXaMpLe.COM' and similar
    names to check the correct upper/lower case result.
    
    TODO: Also verify this against windows...
    A test can create objects via ldap and/or lsa (for trusts)
    then get the object including supplementalCredentials
    via drsuapi (as admin) and check the stored salt.
    We should have similar tests already.
Comment 2 Stefan Metzmacher 2018-09-05 07:48:35 UTC
Created attachment 14479 [details]
Patches for v4-9-test
Comment 3 Stefan Metzmacher 2018-09-05 07:49:20 UTC
Created attachment 14480 [details]
Patches for v4-8-test
Comment 4 Stefan Metzmacher 2018-09-05 07:49:49 UTC
Created attachment 14481 [details]
Patches for v4-7-test
Comment 5 Ralph Böhme 2018-09-05 08:03:10 UTC
Reassigning to Karolin for inclusion in 4.7, 4.8 and 4.9.
Comment 6 Alexander Bokovoy 2018-09-05 08:10:10 UTC
Thank you everyone for getting this change into the releases!
Comment 7 Karolin Seeger 2018-09-05 08:33:13 UTC
(In reply to Ralph Böhme from comment #5)
Pushed to autobuild-v4-{9,8,7}-test.
Comment 8 Karolin Seeger 2018-09-05 08:44:08 UTC
(In reply to Karolin Seeger from comment #7)
Breaks the build in v4-7-test und v4-8-test:

[1566/4223] Compiling lib/util/util_tdb.c
[1567/4223] Compiling lib/krb5_wrap/krb5_samba.c
../lib/krb5_wrap/krb5_samba.c: In function ‘smb_krb5_salt_principal’:
../lib/krb5_wrap/krb5_samba.c:513:18: error: ‘UF_TRUST_ACCOUNT_MASK’ undeclared (first use in this function)
  if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
                  ^
../lib/krb5_wrap/krb5_samba.c:513:18: note: each undeclared identifier is reported only once for each function it appears in
Waf: Leaving directory `/memdisk/kseeger/a47/b1529339/samba/bin'
Build failed:  -> task failed (err #1): 
	{task: cc krb5_samba.c -> krb5_samba_1.o}
make: *** [all] Error 1
Comment 9 Stefan Metzmacher 2018-09-05 09:11:18 UTC
Created attachment 14482 [details]
Patches for v4-8-test

commit 8497d2090900b252853278f29a4aaf3bce7515da
libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK

was missing in 4.8 and 4.7
Comment 10 Stefan Metzmacher 2018-09-05 09:12:17 UTC
Created attachment 14483 [details]
Patches for v4-7-test

commit 8497d2090900b252853278f29a4aaf3bce7515da
libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK

was missing in 4.8 and 4.7
Comment 11 Karolin Seeger 2018-09-07 07:44:07 UTC
Pushed to all branches.
Closing out bug report.

Thanks!