Bug 15005 - A cross-realm kerberos client exchanges fail using KDCs with and without FAST
Summary: A cross-realm kerberos client exchanges fail using KDCs with and without FAST
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.16.0rc5
Hardware: All All
: P5 regression (vote)
Target Milestone: 4.16
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 15002
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-10 14:39 UTC by Stefan Metzmacher
Modified: 2022-03-21 12:18 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2022-03-10 14:39:14 UTC 
In a cross-realm situation the client KDC exchange may use on orphaned strengthen_key (from the previous exchange) if the current KDC
doesn't not support FAST and the previous KDC supported it.
Comment 1 Samba QA Contact 2022-03-11 18:25:13 UTC 
This bug was referenced in samba master:

67bdc922f9836779f1b37805575c5c4eea9ba3e6
12b623088cf48cf9e4a046441810ef20e1f079b8
2db7589d69abebad16b66d933114367f815d5fc3
f1a71e24864367a55a30813dd642e7ef392b5ac9
9b48e7f7eda5e368c1192d562c268885c1f68d8b
Comment 2 Samba QA Contact 2022-03-14 15:25:12 UTC 
This bug was referenced in samba v4-16-test:

2aa95f782037be279b093df5b3f9cbe4f1c44ab3
9aa78f15fd6f4796657246d09dab883a717de6f6
4643536739464a1f1c49ca780ae34a1c8f6df360
e6196c456c1d9635376fcc5565b9f67e2e7cf65a
9d819c9359f35758219ee78ef0ade3828a9d8135
Comment 3 Stefan Metzmacher 2022-03-15 20:54:52 UTC 
Fixed via #15002
Comment 4 Samba QA Contact 2022-03-21 12:18:18 UTC 
This bug was referenced in samba v4-16-stable (Release samba-4.16.0):

2aa95f782037be279b093df5b3f9cbe4f1c44ab3
9aa78f15fd6f4796657246d09dab883a717de6f6
4643536739464a1f1c49ca780ae34a1c8f6df360
e6196c456c1d9635376fcc5565b9f67e2e7cf65a
9d819c9359f35758219ee78ef0ade3828a9d8135