Bug 14948 - Inconsistent behavior "samba-tool spn create" with regards to host spn aliases and MS CVE-2021-42282
Summary: Inconsistent behavior "samba-tool spn create" with regards to host spn aliase...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-17 10:22 UTC by keesvanvloten
Modified: 2022-02-16 23:09 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description keesvanvloten 2022-01-17 10:22:46 UTC
Background:

Separate from the computer-accounts I am using service-user-accounts for services like like apache (svc_<hostname>_apache. Until now apache used HTTP/<host_fqdn> as its SPN.

The HTTP SPN is in the list of host-spn-aliases, found here: 
'CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com' 

It contains:

sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,
replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,
fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,
plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,
rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,
schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,
iisadmin,msdtc

There is also a thread on the mail-list: https://lists.samba.org/archive/samba/2022-January/239245.html


Issues:
Depending on the order of things (different) problems arise.

1) The HTTP principal is assigned to the SVC-account before the computer joins the domain, then the join fails with: 
"Failed to join domain: Failed to set machine spn: Constraint violation". 

The computer is does not join and an error is displayed, this is correct behavior. The error could be better: it does not point at the SPN-alias (so still unclear how this happened and caused me starting a thread on the mailing-list).


2) The computer is joined before HTTP SPN is set on the SVC-account. An error is displayed, but the principal is still assigned:

samba-tool spn add 'HTTP/myserver.samdom.net' svc_myserver_apache
check_spn_alias_collision: trying to add SPN 'HTTP/myserver.samdom.net' on 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive Users,DC=samdom,DC=net' when 'host/myserver.samdom.net' is on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net'

samba-tool spn list svc_myserver_apache
svc_myserver_apache
User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive Users,DC=samdom,DC=net has the following servicePrincipalName: 
         HTTP/myserver.samdom.net

It would expect the action to fail (i.e. no HTTP SPN assigned) and a clear error mentioning the host alias list. 


3) Same as 2) but now we use WWW as the SPN for the SVC-account instead of HTTP. 
No error is shown and the action succeeds.

samba-tool spn add 'WWW/myserver.samdom.net' svc_myserver_apache

samba-tool spn list svc_myserver_apache
svc_myserver_apache
User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive Users,DC=samdom,DC=net has the following servicePrincipalName: 
         WWW/myserver.samdom.net

It would expect the action to fail (i.e. no HTTP SPN assigned and a clear error mentioning the host alias list. 
Having different behavior than in 2) for the same kind of issue is inconsistent.


4) Numbers 2) en 3) violate the behavior described in CVE-2021-42282 in: https://support.microsoft.com/en-us/topic/kb5008382-verification-of-uniqueness-for-user-principal-name-service-principal-name-and-the-service-principal-name-alias-cve-2021-42282-4651b175-290c-4e59-8fcb-e4e5cd0cdb29

MS states there specific settings in dSHeuristics to allow for non-unique SPNs.  Either these settings are enabled by default in Samba, or the current behavior differs from the docs. If uniqueness is guaranteed then it should not be possible to add the SPNs in 2) and 3) on the SVC-account at all because they are already claimed by the host account. 

- Kees
Comment 1 Joseph Sutton 2022-02-16 23:09:12 UTC
The error message received in case 2) is not actually an error, but just a debugging message that is displayed when the SPN collision check is performed. Case 3) should have also displayed this message, but it did not due to https://bugzilla.samba.org/show_bug.cgi?id=14950.

For security reasons, we chose to always observe these restrictions and not allow them to be disabled via dSHeuristics.

However, conflicting SPNs can still be added if you also have the rights to edit the SPNs on the first account. This is why it was possible to add the SPNs in cases 2) and 3).