Bug 15047 (CVE-2022-2031) - [SECURITY] CVE-2022-2031 kadmin/changew gets a krbtgt key as AS-REP
Summary: [SECURITY] CVE-2022-2031 kadmin/changew gets a krbtgt key as AS-REP
Status: RESOLVED FIXED
Alias: CVE-2022-2031
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.16.0rc5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
: 15077 (view as bug list)
Depends on:
Blocks: CVE-2022-32744 15109
  Show dependency treegraph
 
Reported: 2022-04-13 22:46 UTC by Andrew Bartlett
Modified: 2022-09-06 08:19 UTC (History)
11 users (show)

See Also:


Attachments
patch for canonicalisation issue (6.51 KB, patch)
2022-05-24 04:25 UTC, Jo Sutton
no flags Details
Patch proposal #2 (16.02 KB, patch)
2022-05-24 08:41 UTC, Andreas Schneider
no flags Details
Patch proposal #3 (16.25 KB, patch)
2022-05-24 11:35 UTC, Andreas Schneider
no flags Details
Patch proposal #4 (15.20 KB, patch)
2022-05-24 12:18 UTC, Andreas Schneider
no flags Details
Advisory draft #1 (1.85 KB, text/plain)
2022-05-24 14:15 UTC, Andreas Schneider
no flags Details
Patch proposal #5 (23.21 KB, patch)
2022-05-25 05:40 UTC, Jo Sutton
no flags Details
WIP patches for kpasswd bugs 150{47,49,74,77} (143.72 KB, patch)
2022-05-26 09:50 UTC, Jo Sutton
no flags Details
kpasswd patches v2 (158.07 KB, patch)
2022-05-27 08:18 UTC, Jo Sutton
no flags Details
MIT setpw ASN.1 patch (1.23 KB, patch)
2022-05-27 08:21 UTC, Jo Sutton
no flags Details
kpasswd patches v3 (181.72 KB, patch)
2022-05-28 07:40 UTC, Jo Sutton
no flags Details
kpasswd patches v4 (180.21 KB, patch)
2022-05-30 08:05 UTC, Jo Sutton
no flags Details
kpasswd patches v6 (189.10 KB, patch)
2022-05-31 05:37 UTC, Jo Sutton
no flags Details
kpasswd patches v7 (202.54 KB, patch)
2022-05-31 08:34 UTC, Jo Sutton
abartlet: review+
Details
kpasswd patches v8 (219.69 KB, patch)
2022-06-10 08:49 UTC, Jo Sutton
abartlet: review-
Details
kpasswd patches v9 (220.54 KB, patch)
2022-06-13 09:35 UTC, Jo Sutton
no flags Details
kpasswd patches v10 (224.45 KB, patch)
2022-06-14 07:12 UTC, Jo Sutton
asn: review+
jsutton: ci-passed+
Details
kpasswd patches v10 for 4.16 (242.25 KB, patch)
2022-06-15 09:42 UTC, Jo Sutton
jsutton: ci-passed+
Details
Advisory draft #2 (3.03 KB, text/plain)
2022-06-15 09:54 UTC, Jo Sutton
no flags Details
kpasswd patches v11 (228.11 KB, patch)
2022-06-16 04:37 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
kpasswd patches v11 for 4.16 (244.17 KB, patch)
2022-06-16 04:45 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
Advisory draft #3 (3.08 KB, text/plain)
2022-06-16 05:06 UTC, Jo Sutton
no flags Details
Advisory draft #4 (3.12 KB, text/plain)
2022-06-16 05:10 UTC, Jo Sutton
abartlet: review+
Details
kpasswd patches v11 for 4.15 (501.80 KB, patch)
2022-06-16 07:46 UTC, Jo Sutton
jsutton: ci-passed-
Details
kpasswd patches v11 for 4.15 (504.59 KB, patch)
2022-06-17 03:11 UTC, Jo Sutton
jsutton: ci-passed+
Details
kpasswd patches v11 for 4.14 (499.27 KB, patch)
2022-06-20 02:46 UTC, Jo Sutton
jsutton: ci-passed+
Details
kpasswd patches v11 for 4.12 (498.24 KB, patch)
2022-06-20 03:09 UTC, Jo Sutton
jsutton: ci-passed+
Details
kpasswd patches v15 (230.86 KB, patch)
2022-06-28 01:22 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
kpasswd patches v15 for 4.16 (248.65 KB, patch)
2022-06-28 01:23 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
kpasswd patches v15 for 4.15 (506.28 KB, patch)
2022-06-28 01:31 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
kpasswd patches v15 for 4.14 (501.08 KB, patch)
2022-06-28 01:32 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
kpasswd patches v15 for 4.12 (502.70 KB, patch)
2022-06-28 01:33 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
kpasswd patches v15 for 4.10 (509.51 KB, patch)
2022-07-20 08:11 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
kpasswd patches v15 for 4.13 (501.08 KB, patch)
2022-07-27 02:36 UTC, Jo Sutton
jsutton: ci-passed+
Details
Fix gensec_krb5 dependency issue (468 bytes, patch)
2022-07-28 09:09 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-04-13 22:46:43 UTC
Long ago Luke Howard mentioned to me that I should look into the fact that in AD the krbtgt key is used for the kpasswd server, and that the two key uses should be separated. 

I'm concerned to understand what would, otherwise, stop a krbtgt ticket being presented to the kpasswd server, overriding what from memory is a 'must get initial ticket' rule - to ensure you know the old password at the time of invoking kpasswd and vice-verca, if an account was only allowed to change the password, getting a TGT instead. 

eg this attack: https://www.secureauth.com/blog/kerberos-delegation-spns-and-more/
Comment 1 Alexander Bokovoy 2022-05-04 08:04:38 UTC
In FreeIPA community we see people reporting problems with this when using Heimdal-built Samba AD and MIT Kerberos client. When changing password, MIT Kerberos client asks for kadmin/changepw but gets a ticket for krbtgt and fails with "KDC reply did not match expectations getting initial ticket" error.

The person reporting it is deploying Samba AD together with FreeIPA in forest trust but this is not needed to reproduce. A simple MIT Kerberos client is enough to fail, so aside from security issues it is also an interoperability problem between Heimdal-based Samba AD and MIT Kerberos client.
Comment 2 Andrew Bartlett 2022-05-04 09:06:46 UTC
Very interesting.  Thanks Alexander, that sounds like incorrect canonicalisation handling.
Comment 3 Andreas Schneider 2022-05-12 07:43:55 UTC
You can reproduce it with MIT kpasswd against Heimdal AD.

make -j20 testenv SELFTEST_TESTENV="fl2008r2dc:local"

In the testenv:

$ vi $KRB5_CONFIG

In the krb5.conf you need:

[libdefaults]
  canonicalize = yes

$ kpasswd alice@$REALM
Password for alice@SAMBA2008R2.EXAMPLE.COM: 
kpasswd: KDC reply did not match expectations getting initial ticket
Comment 4 Jo Sutton 2022-05-24 04:25:47 UTC
Created attachment 17299 [details]
patch for canonicalisation issue

This patch appears to fix the canonicalisation issue.
Comment 5 Jo Sutton 2022-05-24 04:49:26 UTC
Neither Samba nor Windows prevent TGTs being presented to the kpasswd service. Both Samba and Windows prevent the reverse scenario (incidentally) as a result of rejecting TGTs without a REQUESTER_SID buffer; however! this check (from commit 38c5bad4a853b19fe9a51fb059e150b153c4632a) is missing in Samba 4.15 and below.

In addition, Windows caps the lifetime (calculated as endtime - authtime) of tickets issued to kadmin/changepw to two minutes, and rejects any TGTs with a lifetime of two minutes or less, supposing them to be kadmin tickets. We might choose to follow this as an extra precaution against ticket misuse.
Comment 6 Andreas Schneider 2022-05-24 08:33:15 UTC
Hi Joseph,

I didn't see your comment and patch here, so I created a similar fix, including a test, at the same time.
Comment 7 Andreas Schneider 2022-05-24 08:41:17 UTC
Created attachment 17300 [details]
Patch proposal #2
Comment 8 Andreas Schneider 2022-05-24 08:58:39 UTC
The MIT KDB module already restricts the lifetime of the ticket, see:

https://gitlab.com/samba-team/samba/-/blob/master/source4/kdc/mit-kdb/kdb_samba_principals.c#L333

I think the best would be to open a new bug for this.
Comment 9 Jo Sutton 2022-05-24 09:25:53 UTC
Thanks for posting your patch with the test. I'll file a new bug for krbtgt ticket misuse and leave this one for the canonicalisation issue.

BTW, I see another potential problem here (a pre-existing one). We're using strncmp() rather than strcmp() to check whether we're dealing with the changepw principal, so an account named 'changepw1' with SPN 'kadmin/changepw1' is misinterpreted as being the changepw service. And the same applies to KRB5_TGS_NAME, which is checked by the same function.
Comment 10 Jo Sutton 2022-05-24 09:40:04 UTC
(In reply to Joseph Sutton from comment #9)

Sorry, I was mistaken. Impersonating the changepw service would require an account named with some prefix of 'changepw' (such as 'changep'), and impersonating the KDC would require an account named $REALM, with the first part of the SPN being some prefix of 'krbtgt'.
Comment 11 Andreas Schneider 2022-05-24 11:35:14 UTC
Created attachment 17302 [details]
Patch proposal #3
Comment 12 Andreas Schneider 2022-05-24 12:18:00 UTC
Created attachment 17303 [details]
Patch proposal #4

I've cleaned up the patchset and split your patch Joseph. Please check.
Comment 13 Andreas Schneider 2022-05-24 14:15:44 UTC
Created attachment 17305 [details]
Advisory draft #1

I've just quickly wrote an advisory to get the process started.

Not 100% sure of the CVSS score, I calculated:

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:U/CR:L/IR:L
Comment 14 Andreas Schneider 2022-05-24 14:16:42 UTC
Huzaifa, we need a CVE for this.
Comment 15 Jo Sutton 2022-05-25 05:40:11 UTC
Created attachment 17306 [details]
Patch proposal #5

I've added reviewed-by tags and split the patches out into an additional commit (so that adding and refactoring samba_kdc_get_entry_principal() are each separate commits). Let me know if this is OK.
Comment 16 Andreas Schneider 2022-05-25 14:41:39 UTC
This looks fine for me. Just the line

code = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx));

is to long and should be formatted differently. The rest is review+ by me.


Can you run a private pipeline with the updated patch?
Comment 17 Jo Sutton 2022-05-26 09:50:54 UTC
Created attachment 17307 [details]
WIP patches for kpasswd bugs 150{47,49,74,77}

OK, I'm running a pipeline. Here are WIP patches for the kpasswd bugs:
https://bugzilla.samba.org/show_bug.cgi?id=15047
https://bugzilla.samba.org/show_bug.cgi?id=15049
https://bugzilla.samba.org/show_bug.cgi?id=15074
https://bugzilla.samba.org/show_bug.cgi?id=15077
Comment 18 Jo Sutton 2022-05-27 08:18:19 UTC
Created attachment 17308 [details]
kpasswd patches v2

Made some fixes for MIT Kerberos.
Comment 19 Jo Sutton 2022-05-27 08:21:52 UTC
Created attachment 17309 [details]
MIT setpw ASN.1 patch

A patch for MIT Kerberos to make principal and realm optional for passwords sets (matching Heimdal).
Comment 20 Jo Sutton 2022-05-28 07:40:39 UTC
Created attachment 17310 [details]
kpasswd patches v3

Pipeline is mostly passing for Heimdal, but MIT still needs some work, and knownfails are yet to be added.
Comment 21 Jo Sutton 2022-05-30 08:05:09 UTC
Created attachment 17311 [details]
kpasswd patches v4

Removed third_party/heimdal changes (now unnecessary) and included a fix for bug #15074 with the MIT KDC. I looked into adding a ticket lifetime check (using krb5_kdcpolicy_check_tgs_fn) for MIT Kerberos to ensure kpasswd tickets aren't misused, but the REQUESTER_SID PAC buffer check will cover that.

I have yet to fix the tests for MIT Kerberos and add knownfails.
Comment 22 Jo Sutton 2022-05-31 05:37:21 UTC
Created attachment 17312 [details]
kpasswd patches v6
Comment 23 Andreas Schneider 2022-05-31 07:00:50 UTC
Joseph, for the MIT setpw change, open a PR at https://github.com/krb5/krb5/pulls

We can then add the patch to the MIT krb5 1.20 package in Fedora and update our CI images with it.
Comment 24 Andrew Bartlett 2022-05-31 07:27:59 UTC
Sadly updating our CI images is currently broken: 
https://gitlab.com/samba-team/devel/samba/-/pipelines/549582196

Also, I'm wondering if it is entirely legitimate to be calling into that routine - decode_krb5_setpw_req() - anyway?  It isn't in the ABI or API, right?

I'm sure you are well aware, but for others this is discussed here:
https://mailman.mit.edu/pipermail/krbdev/2017-May/012776.html

On the flip side, this looks like a plain bug on the MIT side, the rest of the code in MIT kpasswdd certainly expects that the target can be omitted. 

Flipping back, we would still have the issue of working with older versions, so we will need the fallback anyway, so perhaps that can happen async to this security release?
Comment 25 Jo Sutton 2022-05-31 08:34:20 UTC
Created attachment 17313 [details]
kpasswd patches v7

Running a pipeline, hopefully it passes this time (excluding CentOS Stream 8).
Comment 26 Andreas Schneider 2022-05-31 12:06:59 UTC
Could you please use libtasn1 for asn1 work? The plan is still got get rid of our asn1 implementation one day. I just haven't had the time to do the work to migrate everything to libtasn1.
Comment 27 Stefan Metzmacher 2022-05-31 19:42:30 UTC
Comment on attachment 17313 [details]
kpasswd patches v7

This is strange

-                  source='hdb-samba4.c hdb-samba4-plugin.c',
+                  source='hdb-samba4.c hdb-samba4-kpasswd-plugin.c',

I think we need to keep hdb-samba4-plugin.c, as it's used for
samba-tool domain exportkeytab

I also noticed a few indentation (whitespaces vs. tabs?) problems
in kpasswd_change_password(), but also other places.


I try to get through is more carefully in the next days...
Comment 28 Andrew Bartlett 2022-05-31 22:35:19 UTC
(In reply to Andreas Schneider from comment #26)
libtasn1 is currently optional and only used in one bit of Samba (mscat) as I read the build system.  

I really think we should avoid changing that in a security release that we have to backport and deal with swapping over in master where we can discuss things in the open.  

Would you be OK with letting this follow the rest of the existing pattern in Samba so we can get this shipped, without the additional work to move to libtasn1?  

This series is already getting to be a fairly large chunk of work as-is.
Comment 29 Andrew Bartlett 2022-05-31 22:38:21 UTC
(In reply to Stefan Metzmacher from comment #27)
Yeah, the only other compile of this file is in HDB_SAMBA4_PLUGIN which is a no-op (system Heimdal for the AD DC is not supported).  Hopefully the pipeline found this, or we have a bigger problem.
Comment 30 Jo Sutton 2022-05-31 23:23:08 UTC
(In reply to Stefan Metzmacher from comment #27)
It seems that since commit 5c5d586d3ebd402061a9143dc55543115bcd2476, keytab export doesn't depend on HDB anymore, so I think it's OK to drop hdb-samba4-plugin.c from HDB_SAMBA4.

Thanks for spotting the indentation issues; those are from the LSP server trying to reformat my comments. I'll make sure they're fixed for the final version of the patchset.
Comment 31 Andrew Bartlett 2022-06-07 05:26:55 UTC
Comment on attachment 17313 [details]
kpasswd patches v7

In the kpasswd_set_password() fallback, NULL out target_principal if kpasswd_make_error_reply() has failed, just in case.  We are using an internal API without a good behaviour definition, we should be really cautious and have the simple decoder set target_principal explicitly. 

For the test with the admin key, I would also suggest testing with a normal account holding an SPN, just to be sure.  (rather than a user account).

Otherwise, this looks pretty good to me.
Comment 33 Andrew Bartlett 2022-06-07 08:52:54 UTC
*** Bug 15077 has been marked as a duplicate of this bug. ***
Comment 34 Stefan Metzmacher 2022-06-07 09:10:53 UTC
(In reply to Joseph Sutton from comment #30)

It seems HDB_SAMBA4_PLUGIN is not used at all.

So I think we can just change the logic in hdb-samba4-plugin.c
and don't need the extra hdb-samba4-kpasswd-plugin.c and all the name changing related to it
Comment 35 Stefan Metzmacher 2022-06-07 10:28:29 UTC
Why are we looking at starttime if windows doesn't?
Comment 36 Jo Sutton 2022-06-08 02:09:24 UTC
(In reply to Stefan Metzmacher from comment #34)
OK, I'll not add another plugin.

(In reply to Stefan Metzmacher from comment #35)
The Heimdal KDC looks at the starttime everywhere else (following RFC 4120), so it seems reasonable to be self-consistent and check it here also.
Comment 37 Jo Sutton 2022-06-10 08:49:33 UTC
Created attachment 17337 [details]
kpasswd patches v8

New version of the patchset with requested improvements, and an additional check preventing the kpasswd service from accepting TGTs.
Comment 38 Andrew Bartlett 2022-06-13 08:23:37 UTC
Comment on attachment 17337 [details]
kpasswd patches v8

[PATCH 04/43] tests/krb5: Use object() rather than auto() to
 initialise enums

Add CVE and bug tags (so we remember to backport this also)

In the tests:
+    # Test kpasswd with the canonicalize option reset and a non-canonical
+    # realm.

How is this setting a non-canonical realm?  It isn't obvious.

For cleanup after this lands:
+        expected_msg = b'gensec_unwrap failed - NT_STATUS_ACCESS_DENIED\n'
I'm nervous about our debug / error strings being so embedded into the testsuite
Likewise the string about minimum password length:
+        expected_msg = (b'Password too short, password must be at least 7 '
+                        b'characters long.',
+                        b'String conversion failed!')
+

[PATCH 19/43] CVE-2022-2031 s4:kpasswd: Correctly generate error
 strings

 	/*
-	 * The string 's' has two terminating nul-bytes which are also
-	 * reflected by 'slen'. Normally Kerberos doesn't expect that strings
-	 * are nul-terminated, but Heimdal does!
+	 * The string 's' has one terminating nul-byte which is also
+	 * reflected by 'slen'.
 	 */
-#ifndef SAMBA4_USES_HEIMDAL
-	if (slen < 2) {
+	if (slen < 1) {
 		talloc_free(s);
 		return false;
 	}
-	slen -= 2;
-#endif
+	slen--;
+
 	if (2 + slen < slen) {
 		talloc_free(s);
 		return false;

The overflow guard still reflects +2 and 

error_data->length = 2 + slen;

Again pushes two bytes beyond the length given, making 1 byte beyond the buffer after then slen--.  

This doesn't seem right. 

Subject: [PATCH 27/43] CVE-2022-2031 testprogs: Add test with MIT kpasswd for
 CVE-2022-XXXXX
Please fix/remove second CVE reference.

Subject: [PATCH 31/43] CVE-2022-2031 CVE-2022-XXXXXX: s4:kdc: Fix
 canonicalisation of kadmin/changepw principal
Please fix/remove second CVE reference.

[PATCH 35/43] s4:kdc: Don't use strncmp to compare principal
 components
CVE/BUG reference needed

 [PATCH 41/43] CVE-2022-2031 auth: Add ticket type field to
 auth_user_info_dc and auth_session_info


+	typedef enum {
+		TICKET_TYPE_UNKNOWN = 0,
+		TICKET_TYPE_TGT = 1,
+		TICKET_TYPE_NON_TGT = 2
+	} ticket_type;

This is a heuristic, we should add a comment to indicate what it uses and how it can fail (old Samba versions, unpatched windows before Nov 2021)

[PATCH 42/43] CVE-2022-2031 s4:auth: Use PAC to determine whether
 ticket is a TGT

Put the same in the comments here where this is set.


Otherwise, really awesome work, thanks so much!
Comment 39 Jo Sutton 2022-06-13 09:35:05 UTC
Created attachment 17342 [details]
kpasswd patches v9

Fixed CVE tags and addressed remarks with clarifying comments.
Comment 40 Andreas Schneider 2022-06-13 13:25:13 UTC
+++ b/python/samba/tests/krb5/kpasswd_tests.py
@@ -0,0 +1,996 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020

Who wrote the test, Metze or you? If metze then you should commit under his name, if you change the Copyright :-)
Comment 41 Andrew Bartlett 2022-06-13 21:43:56 UTC
(In reply to Andreas Schneider from comment #40)
Point taken but far more simply I'm pretty sure this was just the copyright on the basis which this script was derived from, and it would be rude to remove that.  A Catalyst.Net Ltd copyright can be added of course.
Comment 43 Jo Sutton 2022-06-14 07:12:38 UTC
Created attachment 17346 [details]
kpasswd patches v10

Added a copyright message.
Comment 44 Jo Sutton 2022-06-15 09:42:18 UTC
Created attachment 17352 [details]
kpasswd patches v10 for 4.16
Comment 45 Jo Sutton 2022-06-15 09:54:17 UTC
Created attachment 17353 [details]
Advisory draft #2

Added a new advisory detailing some more aspects of the issue besides the canonicalization one.
Comment 46 Stefan Metzmacher 2022-06-15 16:35:46 UTC
(In reply to Joseph Sutton from comment #36)

I think it's actually important to use the authtime from the service ticket
instead of it's starttime. I guess the key is that the service is only
valid 2 minutes after the client did the AS-REQ to get the TGT.

Or am I missing something?
Comment 47 Jo Sutton 2022-06-16 00:14:54 UTC
(In reply to Stefan Metzmacher from comment #46)
Thank you, I was mistaken. I had the idea that Windows didn't set starttime, but it only omits it when it would be the same as the authtime anyway. After more testing, it appears that the *actual* behaviour of the Windows KDC is to reject tickets during the last two minutes of their life.
Comment 48 Andrew Bartlett 2022-06-16 00:27:14 UTC
When this is all chased down I would love to see dochelp explain where this is documented... :-)
Comment 49 Jo Sutton 2022-06-16 04:37:49 UTC
Created attachment 17357 [details]
kpasswd patches v11

New patchset to match Windows with the ticket times. The only differences are in commits:
[new commit] CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
CVE-2022-2031 tests/krb5: Add tests for kpasswd service
CVE-2022-2031 s4:kdc: Don't accept tickets living two minutes or less
Comment 50 Jo Sutton 2022-06-16 04:45:25 UTC
Created attachment 17358 [details]
kpasswd patches v11 for 4.16
Comment 51 Jo Sutton 2022-06-16 05:06:57 UTC
Created attachment 17359 [details]
Advisory draft #3

Updated advisory regarding ticket lifetimes.
Comment 52 Jo Sutton 2022-06-16 05:10:16 UTC
Created attachment 17360 [details]
Advisory draft #4

Updated to mention that Samba 4.16 MIT KDC would accept kpasswd tickets as TGTs.
Comment 53 Jo Sutton 2022-06-16 07:46:04 UTC
Created attachment 17361 [details]
kpasswd patches v11 for 4.15
Comment 54 Jo Sutton 2022-06-17 03:11:01 UTC
Created attachment 17368 [details]
kpasswd patches v11 for 4.15
Comment 55 Jo Sutton 2022-06-20 02:46:54 UTC
Created attachment 17372 [details]
kpasswd patches v11 for 4.14
Comment 56 Jo Sutton 2022-06-20 03:09:00 UTC
Created attachment 17373 [details]
kpasswd patches v11 for 4.12

Applies on top of 4.12 patches for #14725 and #14468.
Comment 57 Andrew Bartlett 2022-06-21 09:22:20 UTC
Comment on attachment 17357 [details]
kpasswd patches v11

Once this lands in master please fix
[PATCH 26/43] CVE-2022-2031 testprogs: Add kadmin/changepw
 canonicalization test with MIT kpasswd
to fix the reference to CVE-2022-XXXXX in the comment
Comment 58 Andrew Bartlett 2022-06-21 23:54:24 UTC
Comment on attachment 17368 [details]
kpasswd patches v11 for 4.15

In the 4.15 backport: The patch to require --use-kerberos on the client side concerns me, because it shows a client-visible impact of this change.  This is a problem in a security release, so we need to work out the details on what is going on here.
Comment 59 Andrew Bartlett 2022-06-22 00:08:58 UTC
Comment on attachment 17368 [details]
kpasswd patches v11 for 4.15

My only other comments on the 4.15 backport are:
 - not fully backporting the krb5 testsuite.  This is a difficult call, backporting everything makes backports in the future easier, but means more change now.  It would have reduced the conflicts that had to be fixed up.
 - HDBGET:  This code is safe, but a patch changing HDB: to HDBGET: in heimdal (eg dropping the iterators) would be a good hardening. 

Thanks so much for all the hard work on this!
Comment 60 Andrew Bartlett 2022-06-22 00:45:36 UTC
I'm happy with the 4.15, 4.14 and 4.12 backports provided we work out what is the protocol change around the --use-kerberos vs -k change.  Once we do some more research I'll either review updated patches or add my +1.
Comment 61 Andrew Bartlett 2022-06-22 03:50:31 UTC
We have worked out the issue.

The problem is that in Samba 4.16 and master, the 

 gensec_gssapi:requested_life_time = 5

option which is forced into the client environment of 

 test_winbind_ignore_domains.sh

applies only to the final service ticket, the inter-trust ticket is of a normal lifetime (as it the initial TGT, as always)

In Samba 4.15 and earlier, on the old Heimdal, the inter-trust ticket is also restricted to 5 second lifetime, which then triggers the 'TGT must have lifetime of more than 2 mins' rule. 

The change around --use-kerberos was incorrect and misleading, the test started to pass because of a fallback to NTLM per bug 15104.
Comment 62 Andrew Bartlett 2022-06-22 04:05:56 UTC
The proposed fix will be to make the 2min cutoff on ticket validity (prior to the end of the ticket lifetime) apply only to our krbtgt and RODCs, but not to incoming trusts.  

This is safe because the incoming trusts use a different secret so can't be confused with a krbtgt ticket (TGT) in the way that a kadmin/kpasswd ticket could be.
Comment 63 Jo Sutton 2022-06-28 01:22:16 UTC
Created attachment 17394 [details]
kpasswd patches v15
Comment 64 Jo Sutton 2022-06-28 01:23:03 UTC
Created attachment 17395 [details]
kpasswd patches v15 for 4.16
Comment 65 Jo Sutton 2022-06-28 01:31:34 UTC
Created attachment 17396 [details]
kpasswd patches v15 for 4.15
Comment 66 Jo Sutton 2022-06-28 01:32:30 UTC
Created attachment 17397 [details]
kpasswd patches v15 for 4.14
Comment 67 Jo Sutton 2022-06-28 01:33:03 UTC
Created attachment 17398 [details]
kpasswd patches v15 for 4.12
Comment 68 Andrew Bartlett 2022-06-28 02:24:10 UTC
Comment on attachment 17394 [details]
kpasswd patches v15

I'm happy with this.  The new Heimdal API will need to be proposed upstream, and if they don't accept it then we can instead explicitly set the time before Samba calls the KDC process code, and use our copy in our plugins.
Comment 69 Andrew Bartlett 2022-06-28 07:13:02 UTC
With CI and reviews all set I'm now assigning to Jule for the next available security release (which will need to be filled in on the advisory). 

This has been epic, but we found some really important issues here!
Comment 70 Stefan Metzmacher 2022-06-28 07:24:54 UTC
Andrew, Joseph: Thanks for all the work!

Can you please remember that the third_party/heimdal patchs
needs to be brought upstream and into our lorikeet-heimdal.

Otherwise we'll overwrite it in the next import.

Thanks!
Comment 71 Andrew Bartlett 2022-07-14 04:17:33 UTC
Opening security bugs to vendors.  Release date is currently proposed to be Wednesday 27 July but bug 15109 will be the authoritative reference on that.
Comment 72 Jo Sutton 2022-07-20 08:11:11 UTC
Created attachment 17433 [details]
kpasswd patches v15 for 4.10

Before applying these patches, first apply the 4.10 patches for:
https://bugzilla.samba.org/show_bug.cgi?id=14725
and:
https://bugzilla.samba.org/show_bug.cgi?id=14468
in that order.
Comment 73 Andrew Bartlett 2022-07-20 21:40:54 UTC
Not a blocker but the test_kpasswd_wrong_key_* tests should also check for the wrong key but the original kpasswd service. 

Regarding the 4.10 backport my only concern is:


[jsutton@samba.org Renamed entry to entry_ex; fixed knownfail conflicts;
 retained knownfail for test_kpasswd_from_rodc which now causes the KDC
 to panic]

Can I get some more detail on that, is this possible for a user to trigger?
Comment 74 Jo Sutton 2022-07-20 21:49:10 UTC
(In reply to Andrew Bartlett from comment #73)
The comment about a KDC panic was introduced in the 4.15 backport; since we don't have HDBGET there, the RODC test caused the KDC to enter the disallowed iteration codepath and panic. A following commit, 'CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()', prevents this from occurring.
Comment 75 Andrew Bartlett 2022-07-20 22:05:21 UTC
(In reply to Joseph Sutton from comment #74)
Thanks so much for the extra detail!  Clarifying things like this is why we do review :-)
Comment 76 Jo Sutton 2022-07-27 02:36:12 UTC
Created attachment 17446 [details]
kpasswd patches v15 for 4.13
Comment 77 Samba QA Contact 2022-07-27 10:31:52 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.9):

8f4b78907bbfe915988d52724c66dae0e2eefa9b
b0d3fd37a8884cf18f9c2bffc416035747d49977
e21702d20b6d4507708791c5a6a674b8bdadaab0
440aa37cc462ac9a230636e6758152c3a520fed4
3bbb7bc57f0de9dfe8fa979b7e122cafc4f9c139
39db18962f5368957293cf678e4e7249a8b81ca8
3852adddff6df4d9f6f4cc1add11b06c272d29ef
b9e880b3d9cf5666947cae60adc0846385b04f54
2815de0510e222bc93f5b602b2cdd5c51f8adeb4
e56d66f729ba1713e59b2fb938cc09e69831ac0e
6fc3d93b4fe81be8e8f134c46d461d5815edda91
2ee46c16d2aa706b686b50ccb66a2a3ad9852c50
b1003099c202d05b7d3f570fe313039aebdec3f9
38c83abffd325ee23649c190b8ffb3d27a2bdb68
481a70c37464d356f60a30c5f51ffae755c4e6f0
9da789c73dd6675789b93fc0df0dfc8b274a86c3
298884abb35db7b6a8c6100dfd7bb8b57b1117fd
981948677c895e4e1d3b074f8a1a9c82fd65a80a
5dd0ef1991944a740b1d0107487d25d1acf5ebef
3fd067c7d63e132a84bfc155769012e4261a9f07
5e7d75d8754d157d10e3e7d730445bddd91e5b9e
8b9fe095b91ce62338829a6ac7012170e6af8898
04e452890ada8390828aa4c5c87ceefe44daa50f
a46d0ac59f074f999217586f18ba8772a645b246
c7408dd944ee5a0de5f04079d158f4575fb9036a
389a5523485dfbd48e87b6ee9c39c6c2e16294a0
959ed604ee1588f9a92c269a014fbf12b72fb8a4
22bd1bc2d7308167ea316c6b48f130d378ab4c8b
be9945a4d8e774e8255dd9ae0ed29c9a953ce3ff
b7e3cb83005ef28c70dc8d64cd0a57ba80ae9f4e
63d353e7b5ef235a86bf6df595951dc831108234
185a6d12935f55ad996de502e416114cc1f5aba0
Comment 78 Samba QA Contact 2022-07-27 10:33:14 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.4):

628534b4dcf080a1ab9349d43973c97de818d69c
52b953bfc1891a83099b0829b00f6710f17454fb
f706dcd5ddc13f7e615a7d503420693d1ee45eb2
3bd5df466cb567be8c673eb20cfe903f1950a700
3034c1933c22c76d112693117ac6bf0f95a49f70
a0efc5bc0aeff42563660cd68ba4dcb85d609bc6
7cc2b1ac55390cefca0644534939329b49a9535a
82bfffcdc3cd2ae5f71f5cc18bf862ac88ee038a
5f32710d6787bbf821a37f786a3e82360b7b7660
06c7f3d3f672646b2e0e556693df83761e8dc4e1
c84eb0e673640aeb391766bda50ec7649a75e4d9
8a4f07c2ca2dc153a3c5fc635ac261d372c62fde
705e7ff46d61338e0529c2ac6ce2245d399d27d5
63d6af6ed70a0e9581f851c46c921f1024c7515d
99bbd95a1d6d96b33e9af310e8c0788440e51845
393c18b53ec88e18239b9fa2c1e6ef2009a75ad5
eade23880ec8484530ca19a929bae7c437eafc7e
b8d97f5bd5566996a5fb9def4d0ee3fb8b21974b
3761a6e87131a27b6687eb387b35069cba0119d3
4aafa72991cb59426669725733251d45f912cccb
ada799129ebc19c51a014dcf05cd17ea86b73f5b
9022a69aebfca3af5a5ef432ff392df69490d961
2b63f021e5970386fc4e4923f32b14008e6aac0e
fb7391ca60e4c86bcf79d25547476edf81278c1c
f70ada5eb45baf192f72e9df11327dea5a49fa36
b77fb6e636ce46f1f62cf5b71efd8dd3dd6fdbdb
90e53b8eae98c6b8ae0982a84bf87c329ab8f2a4
1f54e16cf1d5a1f113b88ae938c4752c630eb1d0
0cb4100d16d567f05669c192d6a20dbf5b9bbe98
ff66f68a11c87531648c907ae2a7a6753868bc03
9895018b64c56c6e5a291c0ae90f3fc33e26e0ef
8c0f421852dfcde31ef94e3af182e438a3bc460f
a46dd2846f37ec7d64716c8e68d53cf1ab5e4f67
e650b41ff907ac48f66844bbdf72f83a9e41ea16
Comment 79 Samba QA Contact 2022-07-27 10:33:58 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.14):

c0395578c50fbc4f1946e2f5a065d94f67212eb0
1b38a28bcaebdae0128518605a422a194747a60f
f6c5a60336de8fd67a2ef371dd2ee4cf75c53904
8917979641abb03ef858ba72b652178475b6e918
f7fad997cc06a14c9ffd101b26e16598f334148b
695c662bdc286d7a4699025f00656f8339ceecd8
ae7dd875cd4362ed4346716db493164c421b889f
13fe7e013eccca2c86258084f4443ddb7abaf089
5c41e20fae268e04aa05e821c7f388ea090727af
668825ad56ff70715c626bc3209a6868409e4969
450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2
29ec8b2369b5f5e2a660a3165d2528982514a0f2
3a8da51396f3bf9d4caf8dbd4e75a0314aa47046
cf9e37604409ba0c3c5904af40beb2975c309ad4
cf749fac346ef59c91a9ea87f5e7ddec2e5649c7
198256e2184897300e1cea4343437c3b7b6f74ad
6c4fd575d706b2695090941ad7947b30abdb9071
b5adf7cc6d740c8f4f7b5888f106de24a1181da7
91a1b0955a053f73e6d531f0f12eaa604aca79d7
36d94ffb9c99f3e515024424020e3e03e98f34f5
f68877af829bf73da8e965c9458a9846d1757038
fa4742e1b9dea0b9c379f00666478bd41c021634
3cab62893668742781551dae6505558e47cf08b5
531e7b596d35785bee61f3b4289e38ece1530f94
abdac4241dd08dd90a08db877edd799f3833c2b4
389851bcf399f9511e2cb797350c37ce91aa5849
d40593be83144713cfc43e4eb1c7bc2d925a0da0
95afbc2da9b541fb8f2eebdcd411f5873d1675ac
4b61092459b403b2945daa9082052366f3508b69
89c6e36938c27b572573b06d1b35db210bfda99b
d5af460403d3949ba266f5c74f051247cd7ce752
a6231af1f1c03cd81614332f867916e1748e03a8
Comment 80 Samba QA Contact 2022-07-27 10:38:21 UTC
This bug was referenced in samba v4-14-test:

c0395578c50fbc4f1946e2f5a065d94f67212eb0
1b38a28bcaebdae0128518605a422a194747a60f
f6c5a60336de8fd67a2ef371dd2ee4cf75c53904
8917979641abb03ef858ba72b652178475b6e918
f7fad997cc06a14c9ffd101b26e16598f334148b
695c662bdc286d7a4699025f00656f8339ceecd8
ae7dd875cd4362ed4346716db493164c421b889f
13fe7e013eccca2c86258084f4443ddb7abaf089
5c41e20fae268e04aa05e821c7f388ea090727af
668825ad56ff70715c626bc3209a6868409e4969
450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2
29ec8b2369b5f5e2a660a3165d2528982514a0f2
3a8da51396f3bf9d4caf8dbd4e75a0314aa47046
cf9e37604409ba0c3c5904af40beb2975c309ad4
cf749fac346ef59c91a9ea87f5e7ddec2e5649c7
198256e2184897300e1cea4343437c3b7b6f74ad
6c4fd575d706b2695090941ad7947b30abdb9071
b5adf7cc6d740c8f4f7b5888f106de24a1181da7
91a1b0955a053f73e6d531f0f12eaa604aca79d7
36d94ffb9c99f3e515024424020e3e03e98f34f5
f68877af829bf73da8e965c9458a9846d1757038
fa4742e1b9dea0b9c379f00666478bd41c021634
3cab62893668742781551dae6505558e47cf08b5
531e7b596d35785bee61f3b4289e38ece1530f94
abdac4241dd08dd90a08db877edd799f3833c2b4
389851bcf399f9511e2cb797350c37ce91aa5849
d40593be83144713cfc43e4eb1c7bc2d925a0da0
95afbc2da9b541fb8f2eebdcd411f5873d1675ac
4b61092459b403b2945daa9082052366f3508b69
89c6e36938c27b572573b06d1b35db210bfda99b
d5af460403d3949ba266f5c74f051247cd7ce752
a6231af1f1c03cd81614332f867916e1748e03a8
Comment 81 Jule Anger 2022-07-27 11:04:32 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.
Comment 82 Samba QA Contact 2022-07-27 11:11:31 UTC
This bug was referenced in samba v4-15-test:

8f4b78907bbfe915988d52724c66dae0e2eefa9b
b0d3fd37a8884cf18f9c2bffc416035747d49977
e21702d20b6d4507708791c5a6a674b8bdadaab0
440aa37cc462ac9a230636e6758152c3a520fed4
3bbb7bc57f0de9dfe8fa979b7e122cafc4f9c139
39db18962f5368957293cf678e4e7249a8b81ca8
3852adddff6df4d9f6f4cc1add11b06c272d29ef
b9e880b3d9cf5666947cae60adc0846385b04f54
2815de0510e222bc93f5b602b2cdd5c51f8adeb4
e56d66f729ba1713e59b2fb938cc09e69831ac0e
6fc3d93b4fe81be8e8f134c46d461d5815edda91
2ee46c16d2aa706b686b50ccb66a2a3ad9852c50
b1003099c202d05b7d3f570fe313039aebdec3f9
38c83abffd325ee23649c190b8ffb3d27a2bdb68
481a70c37464d356f60a30c5f51ffae755c4e6f0
9da789c73dd6675789b93fc0df0dfc8b274a86c3
298884abb35db7b6a8c6100dfd7bb8b57b1117fd
981948677c895e4e1d3b074f8a1a9c82fd65a80a
5dd0ef1991944a740b1d0107487d25d1acf5ebef
3fd067c7d63e132a84bfc155769012e4261a9f07
5e7d75d8754d157d10e3e7d730445bddd91e5b9e
8b9fe095b91ce62338829a6ac7012170e6af8898
04e452890ada8390828aa4c5c87ceefe44daa50f
a46d0ac59f074f999217586f18ba8772a645b246
c7408dd944ee5a0de5f04079d158f4575fb9036a
389a5523485dfbd48e87b6ee9c39c6c2e16294a0
959ed604ee1588f9a92c269a014fbf12b72fb8a4
22bd1bc2d7308167ea316c6b48f130d378ab4c8b
be9945a4d8e774e8255dd9ae0ed29c9a953ce3ff
b7e3cb83005ef28c70dc8d64cd0a57ba80ae9f4e
63d353e7b5ef235a86bf6df595951dc831108234
185a6d12935f55ad996de502e416114cc1f5aba0
Comment 83 Samba QA Contact 2022-07-27 11:12:05 UTC
This bug was referenced in samba v4-16-test:

628534b4dcf080a1ab9349d43973c97de818d69c
52b953bfc1891a83099b0829b00f6710f17454fb
f706dcd5ddc13f7e615a7d503420693d1ee45eb2
3bd5df466cb567be8c673eb20cfe903f1950a700
3034c1933c22c76d112693117ac6bf0f95a49f70
a0efc5bc0aeff42563660cd68ba4dcb85d609bc6
7cc2b1ac55390cefca0644534939329b49a9535a
82bfffcdc3cd2ae5f71f5cc18bf862ac88ee038a
5f32710d6787bbf821a37f786a3e82360b7b7660
06c7f3d3f672646b2e0e556693df83761e8dc4e1
c84eb0e673640aeb391766bda50ec7649a75e4d9
8a4f07c2ca2dc153a3c5fc635ac261d372c62fde
705e7ff46d61338e0529c2ac6ce2245d399d27d5
63d6af6ed70a0e9581f851c46c921f1024c7515d
99bbd95a1d6d96b33e9af310e8c0788440e51845
393c18b53ec88e18239b9fa2c1e6ef2009a75ad5
eade23880ec8484530ca19a929bae7c437eafc7e
b8d97f5bd5566996a5fb9def4d0ee3fb8b21974b
3761a6e87131a27b6687eb387b35069cba0119d3
4aafa72991cb59426669725733251d45f912cccb
ada799129ebc19c51a014dcf05cd17ea86b73f5b
9022a69aebfca3af5a5ef432ff392df69490d961
2b63f021e5970386fc4e4923f32b14008e6aac0e
fb7391ca60e4c86bcf79d25547476edf81278c1c
f70ada5eb45baf192f72e9df11327dea5a49fa36
b77fb6e636ce46f1f62cf5b71efd8dd3dd6fdbdb
90e53b8eae98c6b8ae0982a84bf87c329ab8f2a4
1f54e16cf1d5a1f113b88ae938c4752c630eb1d0
0cb4100d16d567f05669c192d6a20dbf5b9bbe98
ff66f68a11c87531648c907ae2a7a6753868bc03
9895018b64c56c6e5a291c0ae90f3fc33e26e0ef
8c0f421852dfcde31ef94e3af182e438a3bc460f
a46dd2846f37ec7d64716c8e68d53cf1ab5e4f67
e650b41ff907ac48f66844bbdf72f83a9e41ea16
Comment 84 Samba QA Contact 2022-07-27 11:59:33 UTC
This bug was referenced in samba master:

2872ccc931c9b601807f91cadc614dcf7c174c8f
b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6
714cadfc4049454d76e37932377cfa3d9a6f464d
a118881f4fbbc926566b359ef944369ab948d5de
48eb3354c5f823715755c74a96f34c7607e400d3
a5a2fc4259ccdd9409e604756e36ee380c30f896
888d58f43344afd6c199cd62be5e56f0f6174720
18bd6dafb576a58440d5c4ba6fff86dfe510bd98
332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed
6a2ec50bfdb1b1178e764c6395e6220a1400c51f
192d597c2f2025845c3cd478fab9d72299c075bd
86698b313e74c37ba75da22d69b740b812b1c10c
1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96
f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0
4e2e767a78b5e94ecc8833ea6cd05f875c37dfed
e0c135e6c146b4bbbfbf9642c1b9c2d05c091963
bbfbbb9f6483d113c7b428109ee00c1c1aab4b02
ce3b7b27a370e1f1299e8a60bf776082e2057a87
a8068e32a02d4f399f91c41427778d588b2b7b6a
23a03911a7fd65d4c2f0e6f2c7da646d079b2923
c6d93504911696ee1062d87d5a8108c65f5b9f3e
186f0c6e4869237acb296bd17c5de0102f0653ad
c0282bbbc132f0409d97f5745ad34eec99176f5d
3e773a3954ff95c4ec9daeedf2739a5edd81e8dc
018bdbc29db035e14019f0f58aba035cc86b534e
ffb599050ae2c1b9d0746addfdac1e41866aa819
be239c716874aadea7591fbe06652c449a350c3a
09e54a7b1d18f2fdb3ebe47dadcea12c52bd8810
fc03cf9f4547bf8164f61138d0211b866d36a956
6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42
0d8995910f9846d38f705abcaa19dede98294f58
958f2bce695c3721a23cd7e81575da181be83828
3029d9bf350e2ab34514975452def269efc3ed96
Comment 85 Samba QA Contact 2022-07-27 13:06:30 UTC
This bug was referenced in samba v4-17-stable:

2872ccc931c9b601807f91cadc614dcf7c174c8f
b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6
714cadfc4049454d76e37932377cfa3d9a6f464d
a118881f4fbbc926566b359ef944369ab948d5de
48eb3354c5f823715755c74a96f34c7607e400d3
a5a2fc4259ccdd9409e604756e36ee380c30f896
888d58f43344afd6c199cd62be5e56f0f6174720
18bd6dafb576a58440d5c4ba6fff86dfe510bd98
332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed
6a2ec50bfdb1b1178e764c6395e6220a1400c51f
192d597c2f2025845c3cd478fab9d72299c075bd
86698b313e74c37ba75da22d69b740b812b1c10c
1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96
f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0
4e2e767a78b5e94ecc8833ea6cd05f875c37dfed
e0c135e6c146b4bbbfbf9642c1b9c2d05c091963
bbfbbb9f6483d113c7b428109ee00c1c1aab4b02
ce3b7b27a370e1f1299e8a60bf776082e2057a87
a8068e32a02d4f399f91c41427778d588b2b7b6a
23a03911a7fd65d4c2f0e6f2c7da646d079b2923
c6d93504911696ee1062d87d5a8108c65f5b9f3e
186f0c6e4869237acb296bd17c5de0102f0653ad
c0282bbbc132f0409d97f5745ad34eec99176f5d
3e773a3954ff95c4ec9daeedf2739a5edd81e8dc
018bdbc29db035e14019f0f58aba035cc86b534e
ffb599050ae2c1b9d0746addfdac1e41866aa819
be239c716874aadea7591fbe06652c449a350c3a
09e54a7b1d18f2fdb3ebe47dadcea12c52bd8810
fc03cf9f4547bf8164f61138d0211b866d36a956
6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42
0d8995910f9846d38f705abcaa19dede98294f58
958f2bce695c3721a23cd7e81575da181be83828
3029d9bf350e2ab34514975452def269efc3ed96
Comment 86 Samba QA Contact 2022-07-27 13:07:21 UTC
This bug was referenced in samba v4-17-test:

2872ccc931c9b601807f91cadc614dcf7c174c8f
b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6
714cadfc4049454d76e37932377cfa3d9a6f464d
a118881f4fbbc926566b359ef944369ab948d5de
48eb3354c5f823715755c74a96f34c7607e400d3
a5a2fc4259ccdd9409e604756e36ee380c30f896
888d58f43344afd6c199cd62be5e56f0f6174720
18bd6dafb576a58440d5c4ba6fff86dfe510bd98
332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed
6a2ec50bfdb1b1178e764c6395e6220a1400c51f
192d597c2f2025845c3cd478fab9d72299c075bd
86698b313e74c37ba75da22d69b740b812b1c10c
1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96
f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0
4e2e767a78b5e94ecc8833ea6cd05f875c37dfed
e0c135e6c146b4bbbfbf9642c1b9c2d05c091963
bbfbbb9f6483d113c7b428109ee00c1c1aab4b02
ce3b7b27a370e1f1299e8a60bf776082e2057a87
a8068e32a02d4f399f91c41427778d588b2b7b6a
23a03911a7fd65d4c2f0e6f2c7da646d079b2923
c6d93504911696ee1062d87d5a8108c65f5b9f3e
186f0c6e4869237acb296bd17c5de0102f0653ad
c0282bbbc132f0409d97f5745ad34eec99176f5d
3e773a3954ff95c4ec9daeedf2739a5edd81e8dc
018bdbc29db035e14019f0f58aba035cc86b534e
ffb599050ae2c1b9d0746addfdac1e41866aa819
be239c716874aadea7591fbe06652c449a350c3a
09e54a7b1d18f2fdb3ebe47dadcea12c52bd8810
fc03cf9f4547bf8164f61138d0211b866d36a956
6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42
0d8995910f9846d38f705abcaa19dede98294f58
958f2bce695c3721a23cd7e81575da181be83828
3029d9bf350e2ab34514975452def269efc3ed96
Comment 87 Andrew Bartlett 2022-07-28 09:09:43 UTC
Created attachment 17450 [details]
Fix gensec_krb5 dependency issue

An issue was seen in the 4.10 backport (but is likely more to do with linker
behaviour on an older OS than the version) where this incorrect dependency in
gensec_krb5_helper on gensec_krb5 (a module) caused the KDC to fail to start.

If you see this issue then the attached will help.

(We should also apply this to maintained branches as we should never depend on
a module).