Bug 14874 - Kerberos Salt preparation in AD DC does not cope with embedded @
Summary: Kerberos Salt preparation in AD DC does not cope with embedded @
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 14881
Blocks: 14753
  Show dependency treegraph
 
Reported: 2021-10-19 08:57 UTC by Andrew Bartlett
Modified: 2021-12-13 19:12 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-10-19 08:57:09 UTC
For a computer object, it is possible, if very strange, to have an account with an @ in it.  This breaks the string-based preparation of the salt.

We need to prepare the principal using Kerberos routines to ensure this escaped, not thought to be the delimiter with the realm.

I'm working on a patch and some tests.
Comment 1 Andrew Bartlett 2021-10-20 08:47:55 UTC
This blocks bug 14753 as this change makes new users of objectclass computer use UF_WORKSTATION_TRUST (previously UF_NORMAL_ACCOUNT).

This breaks a test "virtual email accounts" in bind.py that was putting user@domain in a samAccountName as the new salt doesn't parse.
Comment 2 Samba QA Contact 2021-10-20 12:55:21 UTC
This bug was referenced in samba master:

a5a6296e57cab2b53617d997c37b4e92d4124cc7
7e39994ed341883ac4c8c257220c19dbf70c7bc5
f4785ccfefe7c89f84ad847ca3c12f604172b321
889476d1754f8ce2a41557ed3bf5242c1293584e
25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe
46039baa81377df10e5b134e4bb064ed246795e4
5eeb441b771a1ffe1ba1c69b72e8795f525a58ed
Comment 3 Samba QA Contact 2021-10-23 08:08:05 UTC
This bug was referenced in samba master:

5094d986b7686f057195dcb10764295b88967019
Comment 4 Samba QA Contact 2021-10-25 13:25:20 UTC
This bug was referenced in samba v4-15-test:

cd1b3cbce5033664d18dc11db3d96c3cdb356afb
4cedeb3253863467adf7e2638167221cbf930f82
8c0296c8956d0328ac111deb1b2d932a24ab50fa
fcd11a480e7402985941de974fb0a3f273748ce0
798ac7ff1babe6293fb97deeacb2eff0b018fde0
b1dbaecb2ec14cdacabf6188ff68bad42d3bbffe
c72b210cdca5bae5377d1069b8e59044f219356c
753e0dfc6c9def1aebacc593fd4130882ce3ff32
Comment 5 Samba QA Contact 2021-10-26 13:04:26 UTC
This bug was referenced in samba v4-14-test:

3a813c6d70e0a6b390f550ec208599ad4f79a661
cf03277b663796a22d9fffbfdb6db270169a0385
68f9cc0b9f299f8690036b19570826b1798b1523
b2157fd16de68853c98422cfcaea6bd35faa3a42
46ef1ac3f37118aa6c4a67c98a6fbd3829905153
d79ddfb027a47a5cf81f14d77ebced2b38844442
51324ea4a6507d550f08b7166701f72f7752a100
6b5aba80e648a2b1c67c802c44ea7060540ac262
Comment 6 Samba QA Contact 2021-10-27 13:11:56 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.1):

cd1b3cbce5033664d18dc11db3d96c3cdb356afb
4cedeb3253863467adf7e2638167221cbf930f82
8c0296c8956d0328ac111deb1b2d932a24ab50fa
fcd11a480e7402985941de974fb0a3f273748ce0
798ac7ff1babe6293fb97deeacb2eff0b018fde0
b1dbaecb2ec14cdacabf6188ff68bad42d3bbffe
c72b210cdca5bae5377d1069b8e59044f219356c
753e0dfc6c9def1aebacc593fd4130882ce3ff32
Comment 7 Samba QA Contact 2021-10-27 13:23:09 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.9):

3a813c6d70e0a6b390f550ec208599ad4f79a661
cf03277b663796a22d9fffbfdb6db270169a0385
68f9cc0b9f299f8690036b19570826b1798b1523
b2157fd16de68853c98422cfcaea6bd35faa3a42
46ef1ac3f37118aa6c4a67c98a6fbd3829905153
d79ddfb027a47a5cf81f14d77ebced2b38844442
51324ea4a6507d550f08b7166701f72f7752a100
6b5aba80e648a2b1c67c802c44ea7060540ac262
Comment 8 Samba QA Contact 2021-10-27 23:56:08 UTC
This bug was referenced in samba v4-13-test:

4056198f4c950b77569c247beaff1bbdf3acf8f5
a2a173d70ad4e9ea54b336ef9660897ea6ed58d6
3f376eeaa88237a15a523cbf1c11a75e20f3ffc8
a742af325f904396973bb274e5413c437dce487a
d3b491c31164c8ac6c9f4c0a35742684efe0d61d
ae6d74c9ef81b7fda5617948f4cc7b1be7c279a9
274f16103f69d98b9262575d043d84bb9a1b53eb
0cea7f53c01718ec1d5d86a415ca494e1899501f
Comment 9 Samba QA Contact 2021-10-29 07:31:36 UTC
This bug was referenced in samba v4-13-stable (Release samba-4.13.13):

4056198f4c950b77569c247beaff1bbdf3acf8f5
a2a173d70ad4e9ea54b336ef9660897ea6ed58d6
3f376eeaa88237a15a523cbf1c11a75e20f3ffc8
a742af325f904396973bb274e5413c437dce487a
d3b491c31164c8ac6c9f4c0a35742684efe0d61d
ae6d74c9ef81b7fda5617948f4cc7b1be7c279a9
274f16103f69d98b9262575d043d84bb9a1b53eb
0cea7f53c01718ec1d5d86a415ca494e1899501f
Comment 10 Andrew Bartlett 2021-11-09 20:55:51 UTC
The patches addressing this issue have been pushed to master and security releases made.