Bug 14155 - kpasswd fails when built with MIT Kerberos
Summary: kpasswd fails when built with MIT Kerberos
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.11.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-10-09 16:00 UTC by Andreas Schneider
Modified: 2019-11-04 09:21 UTC (History)
5 users (show)

See Also:

patch for 4.11 (3.50 KB, patch)
2019-10-14 08:15 UTC, Andreas Schneider
metze: review+
patch for 4.10 (3.46 KB, patch)
2019-10-14 08:17 UTC, Andreas Schneider
no flags Details
patch for 4.10 (3.39 KB, patch)
2019-10-14 08:37 UTC, Andreas Schneider
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2019-10-09 16:00:09 UTC
Chaning password with kpasswd (e.g. net ads changetrustpw) fails when built with MIT Kerberos. This is because upstream MIT has a bug when requesting canonicalization for non krbtgt requests. For example:

`kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM`

We need to revert the MIT part of commit 03b7e59a286896888ee2473995fc50bb2b5ce5e.
Comment 1 Andreas Schneider 2019-10-09 16:01:21 UTC
MR: https://gitlab.com/samba-team/samba/merge_requests/840
Comment 2 Stefan Metzmacher 2019-10-11 10:39:45 UTC
(In reply to Andreas Schneider from comment #0)

This is about commit 303b7e59a286896888ee2473995fc50bb2b5ce5e
and not 03b7e59a286896888ee2473995fc50bb2b5ce5e...
Comment 3 Stefan Metzmacher 2019-10-11 10:42:27 UTC
Can you be more specific on what wrong?
Does that only happens if the service is 
kadmin/changepw@* ?

Is there an MIT bug report?
Comment 4 Isaac Boukris 2019-10-11 11:23:23 UTC
As discussed in MR 840, MIT client won't allow name canonicalization in AS exchange if the service is anything but krbtgt, see:

Per RFC 6806 it should be okay, especially since it's the client name that changed not server, and especially if we check PA-REQ-ENC-PA-REP in returned encrypted padata, which MIT does (as does heimdal upstream).
So I want to add a check in case we verified returned PA-REQ-ENC-PA-REP to allow canonicalization even for non krbtgt servers. I'll update once I submit a PR upstream.
Comment 5 Isaac Boukris 2019-10-11 18:11:28 UTC
Upstream PR: https://github.com/krb5/krb5/pull/986
Comment 6 Andreas Schneider 2019-10-14 08:15:43 UTC
Created attachment 15532 [details]
patch for 4.11
Comment 7 Andreas Schneider 2019-10-14 08:17:38 UTC
Created attachment 15533 [details]
patch for 4.10
Comment 8 Andreas Schneider 2019-10-14 08:37:41 UTC
Created attachment 15534 [details]
patch for 4.10
Comment 9 Karolin Seeger 2019-10-17 08:02:23 UTC
Both patches do not apply on current test branches.
Re-assigning to Andreas.
Comment 10 Andreas Schneider 2019-10-17 08:43:57 UTC
Karolin, they are already applied on both branches ...

Metze pushed them.

commit 3ad42536f873f21cc2db774ca3ea694ca7142253 (HEAD -> v4-10-test, origin/v4-10-test)
Author:     Andreas Schneider <asn@samba.org>
AuthorDate: Wed Oct 9 16:32:47 2019 +0200
Commit:     Stefan Metzmacher <metze@samba.org>
CommitDate: Wed Oct 16 16:43:59 2019 +0000

Closing :-)
Comment 11 Isaac Boukris 2019-11-04 09:21:46 UTC
FYI the upstream MIT PR 986 has landed so the fix will be in v1.18 once released.