Bug 14688 - S4U2Self request failed
Summary: S4U2Self request failed
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.11.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-14 21:12 UTC by Remi PAETA
Modified: 2021-04-15 18:25 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Remi PAETA 2021-04-14 21:12:41 UTC
Hello,

A bug seems to be observed in the formulation of the response of the kdc to S4U2Self requests.
This problem has been observed when using an OpenSSH server on a Windows machine (W10, Windows Server 2016). It appears that machines receiving a ticket with non-HMAC encryption fail to authenticate domain users. The same thing happens in public key authentication.
You will find more information on this link:
https://github.com/PowerShell/Win32-OpenSSH/issues/1543
Someone working for the Windows Auth team noticed a problem with a Wireshark packet capture.
Please find his comment by following this link.
https://github.com/PowerShell/Win32-OpenSSH/issues/1543#issuecomment-818986844
In addition, I was able to find a document dealing with the S4U2Self written by Stefan Metzmacher.
https://www.samba.org/~metze/presentations/2020/SambaXP/StefanMetzmacher_sambaxp2020_Modern_Kerberos-rev0-compact.pdf
It seems that the bug has been fixed in the 7.7.0 release of Heimdal.
Comment 1 Remi PAETA 2021-04-15 15:58:53 UTC
The bug is fixed in version 4.13 of Samba by this commit:
https://gitlab.com/samba-team/samba/-/commit/6095a4f0d58cad3dde6e76cadd7bcae0a240c9e6

Would it be possible to have a patch with this commit for version 4.9, 4.10, 4.11, and 4.12 please?
Comment 3 Andrew Bartlett 2021-04-15 18:25:23 UTC
I'm very sorry, but per https://wiki.samba.org/index.php/Samba_Release_Planning#General_information Samba 4.12 and earlier as now only supported for security fixes, not general fixes.

You could approach whoever is supporting your older Samba versions to backport a patch, but otherwise we strongly recommend an upgrade to a supported version.

As the fix is noted as being in Samba 4.13 we need to mark this as RESOLVED/FIXED here.

Sorry,