We should disable or secure Kerberos user2user (enc_tkt_in_skey). * We need to look up the SPN given in the original request and confirm it matches the name in the TGT given in the end_tkt_in_skey. * We need to check the RODC rules for that ticket. * We need to validate the PAC for that ticket and confirm the name still matches
This bug was referenced in samba v4-14-stable (Release samba-4.14.10): 8693af19e0676c6cf248496eca02fd4700679db2 85f43f2ccb4f5017c1a639736a62edd9ead0a4d4 30e11e0d227078e5a5466ea0063b247db285d4a6 a2de8b1c172b63d777671bfaada92222fe8826dc 473f1b64812c45eb6cf7bc6706c73475c085b7b5 46aeacff8a068ac7317829f2e6fab7ad342b3705 73aa72843b20218989c7981ad093ce7a6f1d4431 edb967359a48861f6458eb506f2853e9620fe812 675b1bf5c9e6f70801e86b091f7e19872d6dfed9 0535afe7fa4bcfd46976d2c5a02f48e4e779f1d6
This bug was referenced in samba v4-15-stable (Release samba-4.15.2): 2e977f86d359dd1b6233208041bb1e76b14c864b 2b037cab8b2602ad4d629196ea36bb1a6f170469 47eb6bbb90a2ae1cdd0b12bb1f9140d226565cf3 844eca4a0b8773b04300e29c8f1de471a91c2d5c 341560f8b51783b00d3d1b96401f1d1a9e5a4a55 ce38d6b37c9a961343234cead81612f5f2ad579e c3b0b6cd7d20e7b1b2a921c7927ca48accb43427 b6d1606f6fcd2f6b1cf7b06430abea43c3ac863a d6f3ad0b0ba58b0a35c43ffef405af766d4f114f 11491b1462ebe27768a292013af3168b9528941e
This bug was referenced in samba v4-13-stable (Release samba-4.13.14): 5d83f3ba83f47816bf58e128a51421c316d8af57 fad4159de4b3250c5e018edeec43edd6f1959019 05c3582eaee9c65d4b2b29b4b59bf3b39db10de7 d151c2528d1e3f662b60f429bf314d6a10b76d09 3c832b5a8abacb629f6d117beaf9be4f87ee736f 73f6a61545577c1a0c6dd03278bc38c46d19a131 c493ff06c68e0cec72479a0dac6ca9a571b99d76 5f1aeeee089ccf20c4420281d386f28ea308faf1 2eaf906f926bf1fec0cdbd98af879505fbce2950 1fb0c6b5ff93bf4d0c6f051bc07bf44151c63ab3
This bug was referenced in samba v4-14-test: 8693af19e0676c6cf248496eca02fd4700679db2 85f43f2ccb4f5017c1a639736a62edd9ead0a4d4 30e11e0d227078e5a5466ea0063b247db285d4a6 a2de8b1c172b63d777671bfaada92222fe8826dc 473f1b64812c45eb6cf7bc6706c73475c085b7b5 46aeacff8a068ac7317829f2e6fab7ad342b3705 73aa72843b20218989c7981ad093ce7a6f1d4431 edb967359a48861f6458eb506f2853e9620fe812 675b1bf5c9e6f70801e86b091f7e19872d6dfed9 0535afe7fa4bcfd46976d2c5a02f48e4e779f1d6
This bug was referenced in samba v4-13-test: 5d83f3ba83f47816bf58e128a51421c316d8af57 fad4159de4b3250c5e018edeec43edd6f1959019 05c3582eaee9c65d4b2b29b4b59bf3b39db10de7 d151c2528d1e3f662b60f429bf314d6a10b76d09 3c832b5a8abacb629f6d117beaf9be4f87ee736f 73f6a61545577c1a0c6dd03278bc38c46d19a131 c493ff06c68e0cec72479a0dac6ca9a571b99d76 5f1aeeee089ccf20c4420281d386f28ea308faf1 2eaf906f926bf1fec0cdbd98af879505fbce2950 1fb0c6b5ff93bf4d0c6f051bc07bf44151c63ab3
This bug was referenced in samba v4-15-test: 2e977f86d359dd1b6233208041bb1e76b14c864b 2b037cab8b2602ad4d629196ea36bb1a6f170469 47eb6bbb90a2ae1cdd0b12bb1f9140d226565cf3 844eca4a0b8773b04300e29c8f1de471a91c2d5c 341560f8b51783b00d3d1b96401f1d1a9e5a4a55 ce38d6b37c9a961343234cead81612f5f2ad579e c3b0b6cd7d20e7b1b2a921c7927ca48accb43427 b6d1606f6fcd2f6b1cf7b06430abea43c3ac863a d6f3ad0b0ba58b0a35c43ffef405af766d4f114f 11491b1462ebe27768a292013af3168b9528941e
This bug was referenced in samba master: 383bedd6fddb81cbd6d39c41a5c463f432344f5e a236e2cc255b98603449e96d7ce94a3e48277c6c 924f323188774fabbb8fc1a08d24c1be51b37708 26480ba2aa9834a24f1ea11ae3f8e2d7ed0ccfd8 a461b7d4f8c07b2fc64243c99a2c334ab9e73721 a5db5c7fa2bdf5c651f77749b4e79c515d164e4f f170f1eb4989d7f337eed0f45a558fe5231ea367 fd50fecbe99ae4fc63843c796d0a516731a1fe6a f08e6ac86226dcd939fd0e40b6f7dc80c5c00e79 49a13f0fc942d1cfb767d5b6bf49d62241d52046
The patches addressing this issue have been pushed to master and security releases made.
Removing embargo.
The fundemtnal issue is that Samba did not follow: https://datatracker.ietf.org/doc/html/draft-ietf-cat-user2user-02 > If the server name and realm in the TGT request message > do not match the name of the service, then the service > should return the error KRB_AP_ERR_NOT_US.