Bug 15049 - samba4kpasswd fails with a Windows server
Summary: samba4kpasswd fails with a Windows server
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.16.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-19 01:41 UTC by Jennifer Sutton
Modified: 2022-11-30 22:03 UTC (History)
11 users (show)

See Also:


Attachments
proposed patch for master (969 bytes, patch)
2022-04-19 01:43 UTC, Jennifer Sutton
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jennifer Sutton 2022-04-19 01:41:37 UTC
samba4kpasswd obtains a service ticket to 'kadmin/changepw' and presents it to the DC in order to change the password. Since the November 2021 updates, Windows expects PAC buffer 18 (requestor SID) to be present in the ticket it receives. As these buffers are only found in TGTs, and are stripped out when creating a service ticket, the request therefore fails.

In order for this to work, we need to present a TGT to the KDC rather than a service ticket.
Comment 1 Jennifer Sutton 2022-04-19 01:43:06 UTC
Created attachment 17272 [details]
proposed patch for master
Comment 2 Andrew Bartlett 2022-05-04 05:02:37 UTC
I'm told the issue on the Windows side has been addressed in the April 2022 Patch Tuesday updates, so a TGT is not required.

Can you check?
Comment 3 Jennifer Sutton 2022-05-24 05:06:02 UTC
Windows now properly handles tickets issued to kadmin/changepw, so we should use those instead of TGTs. However, for this to work we still need to obtain the ticket with an AS-REQ (to ensure it is an initial ticket); the --cache parameter of samba4kpasswd bypasses this and should be removed.

Samba's kpasswd service should also ensure tickets supplied to it have the 'initial' flag set.
Comment 4 Stefan Metzmacher 2022-06-07 10:59:39 UTC
I guess the known issue "Change password for third-party, domain-joined devices" here: 
https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041, correct?

It is related to PacRequestorEnforcement=2

The sssd bug report also seems to be related
https://bugzilla.redhat.com/show_bug.cgi?id=2039349

Which is also described here:
https://docs.microsoft.com/en-us/answers/questions/695954/microsoft-kb5008380-for-cve-2021-42287-unable-to-j.html

So there's only the kpasswd protocol affected, which means in Samba
only 'net ads changetrustpw' and 'net ads password' are affected?

And bug #15047 is our server side of it?

Do I have a correct understanding of the situation for the client side here?

Andrew/Joseph is this problem still there with Microsofts April 2022 updates?
I mean in kerberos_set_password()? I guess yes, as we get the ticket in two steps, kerberos_kinit_password() to get a normal initial TGT (via a AS-REQ) for krbtgt/REALM@REALM and then get a service ticket (via TGS-REQ) for kadmin/changepw@REALM, while we should use an AS-REQ to get a "initial" ticket for kadmin/changepw@REALM.
Comment 5 Jennifer Sutton 2022-06-08 02:42:41 UTC
(In reply to Stefan Metzmacher from comment #4)
Yes, the Windows updates requiring that tickets contain a PAC broke the kpasswd protocol with non-initial tickets. But it seems this was fixed in a later update.

I initially thought kerberos_set_password() was affected by the initial ticket requirement, and I wrote patches so that commands like 'net ads changetrustpw' and 'net ads password' would bypass the ccache and always get an initial ticket, but I turned out to be mistaken -- the initial ticket requirement only applies if we're changing or setting our own password. If we're changing another user's password (or doing a password set with an explicit principal and realm), then ACLs apply (as for an LDAP password set) and an initial ticket is not required. So I dropped those patches from the kpasswd patchset.
Comment 6 Jennifer Sutton 2022-06-13 00:28:29 UTC
Comment on attachment 17272 [details]
proposed patch for master

This patch worked as a temporary solution before Windows updates affected kpasswd, but we do not want to present a TGT to the kpasswd service.
Comment 7 Andrew Bartlett 2022-06-13 23:25:03 UTC
Embargoed as submitting a TGT to kpasswd turns out not to be a good outcome, and so I've got MS looking at MSRC Case 72516
Comment 8 Samba QA Contact 2022-07-27 10:32:17 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.9):

b0d3fd37a8884cf18f9c2bffc416035747d49977
e21702d20b6d4507708791c5a6a674b8bdadaab0
3bbb7bc57f0de9dfe8fa979b7e122cafc4f9c139
39db18962f5368957293cf678e4e7249a8b81ca8
3852adddff6df4d9f6f4cc1add11b06c272d29ef
b9e880b3d9cf5666947cae60adc0846385b04f54
2815de0510e222bc93f5b602b2cdd5c51f8adeb4
e56d66f729ba1713e59b2fb938cc09e69831ac0e
6fc3d93b4fe81be8e8f134c46d461d5815edda91
2ee46c16d2aa706b686b50ccb66a2a3ad9852c50
b1003099c202d05b7d3f570fe313039aebdec3f9
38c83abffd325ee23649c190b8ffb3d27a2bdb68
481a70c37464d356f60a30c5f51ffae755c4e6f0
9da789c73dd6675789b93fc0df0dfc8b274a86c3
298884abb35db7b6a8c6100dfd7bb8b57b1117fd
22bd1bc2d7308167ea316c6b48f130d378ab4c8b
be9945a4d8e774e8255dd9ae0ed29c9a953ce3ff
b7e3cb83005ef28c70dc8d64cd0a57ba80ae9f4e
63d353e7b5ef235a86bf6df595951dc831108234
Comment 9 Samba QA Contact 2022-07-27 10:34:39 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.14):

1b38a28bcaebdae0128518605a422a194747a60f
f6c5a60336de8fd67a2ef371dd2ee4cf75c53904
f7fad997cc06a14c9ffd101b26e16598f334148b
695c662bdc286d7a4699025f00656f8339ceecd8
ae7dd875cd4362ed4346716db493164c421b889f
13fe7e013eccca2c86258084f4443ddb7abaf089
5c41e20fae268e04aa05e821c7f388ea090727af
668825ad56ff70715c626bc3209a6868409e4969
450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2
29ec8b2369b5f5e2a660a3165d2528982514a0f2
3a8da51396f3bf9d4caf8dbd4e75a0314aa47046
cf9e37604409ba0c3c5904af40beb2975c309ad4
cf749fac346ef59c91a9ea87f5e7ddec2e5649c7
198256e2184897300e1cea4343437c3b7b6f74ad
6c4fd575d706b2695090941ad7947b30abdb9071
95afbc2da9b541fb8f2eebdcd411f5873d1675ac
4b61092459b403b2945daa9082052366f3508b69
89c6e36938c27b572573b06d1b35db210bfda99b
d5af460403d3949ba266f5c74f051247cd7ce752
Comment 10 Samba QA Contact 2022-07-27 10:35:30 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.4):

f706dcd5ddc13f7e615a7d503420693d1ee45eb2
3bd5df466cb567be8c673eb20cfe903f1950a700
a0efc5bc0aeff42563660cd68ba4dcb85d609bc6
7cc2b1ac55390cefca0644534939329b49a9535a
82bfffcdc3cd2ae5f71f5cc18bf862ac88ee038a
5f32710d6787bbf821a37f786a3e82360b7b7660
06c7f3d3f672646b2e0e556693df83761e8dc4e1
c84eb0e673640aeb391766bda50ec7649a75e4d9
8a4f07c2ca2dc153a3c5fc635ac261d372c62fde
705e7ff46d61338e0529c2ac6ce2245d399d27d5
63d6af6ed70a0e9581f851c46c921f1024c7515d
99bbd95a1d6d96b33e9af310e8c0788440e51845
393c18b53ec88e18239b9fa2c1e6ef2009a75ad5
eade23880ec8484530ca19a929bae7c437eafc7e
b8d97f5bd5566996a5fb9def4d0ee3fb8b21974b
ff66f68a11c87531648c907ae2a7a6753868bc03
9895018b64c56c6e5a291c0ae90f3fc33e26e0ef
8c0f421852dfcde31ef94e3af182e438a3bc460f
a46dd2846f37ec7d64716c8e68d53cf1ab5e4f67
Comment 11 Samba QA Contact 2022-07-27 10:38:29 UTC
This bug was referenced in samba v4-14-test:

1b38a28bcaebdae0128518605a422a194747a60f
f6c5a60336de8fd67a2ef371dd2ee4cf75c53904
f7fad997cc06a14c9ffd101b26e16598f334148b
695c662bdc286d7a4699025f00656f8339ceecd8
ae7dd875cd4362ed4346716db493164c421b889f
13fe7e013eccca2c86258084f4443ddb7abaf089
5c41e20fae268e04aa05e821c7f388ea090727af
668825ad56ff70715c626bc3209a6868409e4969
450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2
29ec8b2369b5f5e2a660a3165d2528982514a0f2
3a8da51396f3bf9d4caf8dbd4e75a0314aa47046
cf9e37604409ba0c3c5904af40beb2975c309ad4
cf749fac346ef59c91a9ea87f5e7ddec2e5649c7
198256e2184897300e1cea4343437c3b7b6f74ad
6c4fd575d706b2695090941ad7947b30abdb9071
95afbc2da9b541fb8f2eebdcd411f5873d1675ac
4b61092459b403b2945daa9082052366f3508b69
89c6e36938c27b572573b06d1b35db210bfda99b
d5af460403d3949ba266f5c74f051247cd7ce752
Comment 12 Samba QA Contact 2022-07-27 11:08:31 UTC
This bug was referenced in samba v4-16-test:

f706dcd5ddc13f7e615a7d503420693d1ee45eb2
3bd5df466cb567be8c673eb20cfe903f1950a700
a0efc5bc0aeff42563660cd68ba4dcb85d609bc6
7cc2b1ac55390cefca0644534939329b49a9535a
82bfffcdc3cd2ae5f71f5cc18bf862ac88ee038a
5f32710d6787bbf821a37f786a3e82360b7b7660
06c7f3d3f672646b2e0e556693df83761e8dc4e1
c84eb0e673640aeb391766bda50ec7649a75e4d9
8a4f07c2ca2dc153a3c5fc635ac261d372c62fde
705e7ff46d61338e0529c2ac6ce2245d399d27d5
63d6af6ed70a0e9581f851c46c921f1024c7515d
99bbd95a1d6d96b33e9af310e8c0788440e51845
393c18b53ec88e18239b9fa2c1e6ef2009a75ad5
eade23880ec8484530ca19a929bae7c437eafc7e
b8d97f5bd5566996a5fb9def4d0ee3fb8b21974b
ff66f68a11c87531648c907ae2a7a6753868bc03
9895018b64c56c6e5a291c0ae90f3fc33e26e0ef
8c0f421852dfcde31ef94e3af182e438a3bc460f
a46dd2846f37ec7d64716c8e68d53cf1ab5e4f67
Comment 13 Samba QA Contact 2022-07-27 11:11:39 UTC
This bug was referenced in samba v4-15-test:

b0d3fd37a8884cf18f9c2bffc416035747d49977
e21702d20b6d4507708791c5a6a674b8bdadaab0
3bbb7bc57f0de9dfe8fa979b7e122cafc4f9c139
39db18962f5368957293cf678e4e7249a8b81ca8
3852adddff6df4d9f6f4cc1add11b06c272d29ef
b9e880b3d9cf5666947cae60adc0846385b04f54
2815de0510e222bc93f5b602b2cdd5c51f8adeb4
e56d66f729ba1713e59b2fb938cc09e69831ac0e
6fc3d93b4fe81be8e8f134c46d461d5815edda91
2ee46c16d2aa706b686b50ccb66a2a3ad9852c50
b1003099c202d05b7d3f570fe313039aebdec3f9
38c83abffd325ee23649c190b8ffb3d27a2bdb68
481a70c37464d356f60a30c5f51ffae755c4e6f0
9da789c73dd6675789b93fc0df0dfc8b274a86c3
298884abb35db7b6a8c6100dfd7bb8b57b1117fd
22bd1bc2d7308167ea316c6b48f130d378ab4c8b
be9945a4d8e774e8255dd9ae0ed29c9a953ce3ff
b7e3cb83005ef28c70dc8d64cd0a57ba80ae9f4e
63d353e7b5ef235a86bf6df595951dc831108234
Comment 14 Samba QA Contact 2022-07-27 11:59:25 UTC
This bug was referenced in samba master:

b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6
714cadfc4049454d76e37932377cfa3d9a6f464d
48eb3354c5f823715755c74a96f34c7607e400d3
a5a2fc4259ccdd9409e604756e36ee380c30f896
888d58f43344afd6c199cd62be5e56f0f6174720
18bd6dafb576a58440d5c4ba6fff86dfe510bd98
332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed
6a2ec50bfdb1b1178e764c6395e6220a1400c51f
192d597c2f2025845c3cd478fab9d72299c075bd
86698b313e74c37ba75da22d69b740b812b1c10c
1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96
f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0
4e2e767a78b5e94ecc8833ea6cd05f875c37dfed
e0c135e6c146b4bbbfbf9642c1b9c2d05c091963
bbfbbb9f6483d113c7b428109ee00c1c1aab4b02
ce3b7b27a370e1f1299e8a60bf776082e2057a87
fc03cf9f4547bf8164f61138d0211b866d36a956
6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42
0d8995910f9846d38f705abcaa19dede98294f58
958f2bce695c3721a23cd7e81575da181be83828
Comment 15 Samba QA Contact 2022-07-27 13:06:39 UTC
This bug was referenced in samba v4-17-stable:

b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6
714cadfc4049454d76e37932377cfa3d9a6f464d
48eb3354c5f823715755c74a96f34c7607e400d3
a5a2fc4259ccdd9409e604756e36ee380c30f896
888d58f43344afd6c199cd62be5e56f0f6174720
18bd6dafb576a58440d5c4ba6fff86dfe510bd98
332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed
6a2ec50bfdb1b1178e764c6395e6220a1400c51f
192d597c2f2025845c3cd478fab9d72299c075bd
86698b313e74c37ba75da22d69b740b812b1c10c
1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96
f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0
4e2e767a78b5e94ecc8833ea6cd05f875c37dfed
e0c135e6c146b4bbbfbf9642c1b9c2d05c091963
bbfbbb9f6483d113c7b428109ee00c1c1aab4b02
ce3b7b27a370e1f1299e8a60bf776082e2057a87
fc03cf9f4547bf8164f61138d0211b866d36a956
6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42
0d8995910f9846d38f705abcaa19dede98294f58
958f2bce695c3721a23cd7e81575da181be83828
Comment 16 Samba QA Contact 2022-07-27 13:07:29 UTC
This bug was referenced in samba v4-17-test:

b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6
714cadfc4049454d76e37932377cfa3d9a6f464d
48eb3354c5f823715755c74a96f34c7607e400d3
a5a2fc4259ccdd9409e604756e36ee380c30f896
888d58f43344afd6c199cd62be5e56f0f6174720
18bd6dafb576a58440d5c4ba6fff86dfe510bd98
332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed
6a2ec50bfdb1b1178e764c6395e6220a1400c51f
192d597c2f2025845c3cd478fab9d72299c075bd
86698b313e74c37ba75da22d69b740b812b1c10c
1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96
f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0
4e2e767a78b5e94ecc8833ea6cd05f875c37dfed
e0c135e6c146b4bbbfbf9642c1b9c2d05c091963
bbfbbb9f6483d113c7b428109ee00c1c1aab4b02
ce3b7b27a370e1f1299e8a60bf776082e2057a87
fc03cf9f4547bf8164f61138d0211b866d36a956
6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42
0d8995910f9846d38f705abcaa19dede98294f58
958f2bce695c3721a23cd7e81575da181be83828
Comment 17 Andrew Bartlett 2022-11-30 22:03:20 UTC
Removing embargo.  Samba's behaviour (TGT cannot be used to change a password) is correct, and Microsoft MSRC has indicated that the windows behaviour may change to address this in the future.