samba4kpasswd obtains a service ticket to 'kadmin/changepw' and presents it to the DC in order to change the password. Since the November 2021 updates, Windows expects PAC buffer 18 (requestor SID) to be present in the ticket it receives. As these buffers are only found in TGTs, and are stripped out when creating a service ticket, the request therefore fails. In order for this to work, we need to present a TGT to the KDC rather than a service ticket.
Created attachment 17272 [details] proposed patch for master
I'm told the issue on the Windows side has been addressed in the April 2022 Patch Tuesday updates, so a TGT is not required. Can you check?
Windows now properly handles tickets issued to kadmin/changepw, so we should use those instead of TGTs. However, for this to work we still need to obtain the ticket with an AS-REQ (to ensure it is an initial ticket); the --cache parameter of samba4kpasswd bypasses this and should be removed. Samba's kpasswd service should also ensure tickets supplied to it have the 'initial' flag set.
I guess the known issue "Change password for third-party, domain-joined devices" here: https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041, correct? It is related to PacRequestorEnforcement=2 The sssd bug report also seems to be related https://bugzilla.redhat.com/show_bug.cgi?id=2039349 Which is also described here: https://docs.microsoft.com/en-us/answers/questions/695954/microsoft-kb5008380-for-cve-2021-42287-unable-to-j.html So there's only the kpasswd protocol affected, which means in Samba only 'net ads changetrustpw' and 'net ads password' are affected? And bug #15047 is our server side of it? Do I have a correct understanding of the situation for the client side here? Andrew/Joseph is this problem still there with Microsofts April 2022 updates? I mean in kerberos_set_password()? I guess yes, as we get the ticket in two steps, kerberos_kinit_password() to get a normal initial TGT (via a AS-REQ) for krbtgt/REALM@REALM and then get a service ticket (via TGS-REQ) for kadmin/changepw@REALM, while we should use an AS-REQ to get a "initial" ticket for kadmin/changepw@REALM.
(In reply to Stefan Metzmacher from comment #4) Yes, the Windows updates requiring that tickets contain a PAC broke the kpasswd protocol with non-initial tickets. But it seems this was fixed in a later update. I initially thought kerberos_set_password() was affected by the initial ticket requirement, and I wrote patches so that commands like 'net ads changetrustpw' and 'net ads password' would bypass the ccache and always get an initial ticket, but I turned out to be mistaken -- the initial ticket requirement only applies if we're changing or setting our own password. If we're changing another user's password (or doing a password set with an explicit principal and realm), then ACLs apply (as for an LDAP password set) and an initial ticket is not required. So I dropped those patches from the kpasswd patchset.
Comment on attachment 17272 [details] proposed patch for master This patch worked as a temporary solution before Windows updates affected kpasswd, but we do not want to present a TGT to the kpasswd service.
Embargoed as submitting a TGT to kpasswd turns out not to be a good outcome, and so I've got MS looking at MSRC Case 72516
This bug was referenced in samba v4-15-stable (Release samba-4.15.9): b0d3fd37a8884cf18f9c2bffc416035747d49977 e21702d20b6d4507708791c5a6a674b8bdadaab0 3bbb7bc57f0de9dfe8fa979b7e122cafc4f9c139 39db18962f5368957293cf678e4e7249a8b81ca8 3852adddff6df4d9f6f4cc1add11b06c272d29ef b9e880b3d9cf5666947cae60adc0846385b04f54 2815de0510e222bc93f5b602b2cdd5c51f8adeb4 e56d66f729ba1713e59b2fb938cc09e69831ac0e 6fc3d93b4fe81be8e8f134c46d461d5815edda91 2ee46c16d2aa706b686b50ccb66a2a3ad9852c50 b1003099c202d05b7d3f570fe313039aebdec3f9 38c83abffd325ee23649c190b8ffb3d27a2bdb68 481a70c37464d356f60a30c5f51ffae755c4e6f0 9da789c73dd6675789b93fc0df0dfc8b274a86c3 298884abb35db7b6a8c6100dfd7bb8b57b1117fd 22bd1bc2d7308167ea316c6b48f130d378ab4c8b be9945a4d8e774e8255dd9ae0ed29c9a953ce3ff b7e3cb83005ef28c70dc8d64cd0a57ba80ae9f4e 63d353e7b5ef235a86bf6df595951dc831108234
This bug was referenced in samba v4-14-stable (Release samba-4.14.14): 1b38a28bcaebdae0128518605a422a194747a60f f6c5a60336de8fd67a2ef371dd2ee4cf75c53904 f7fad997cc06a14c9ffd101b26e16598f334148b 695c662bdc286d7a4699025f00656f8339ceecd8 ae7dd875cd4362ed4346716db493164c421b889f 13fe7e013eccca2c86258084f4443ddb7abaf089 5c41e20fae268e04aa05e821c7f388ea090727af 668825ad56ff70715c626bc3209a6868409e4969 450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2 29ec8b2369b5f5e2a660a3165d2528982514a0f2 3a8da51396f3bf9d4caf8dbd4e75a0314aa47046 cf9e37604409ba0c3c5904af40beb2975c309ad4 cf749fac346ef59c91a9ea87f5e7ddec2e5649c7 198256e2184897300e1cea4343437c3b7b6f74ad 6c4fd575d706b2695090941ad7947b30abdb9071 95afbc2da9b541fb8f2eebdcd411f5873d1675ac 4b61092459b403b2945daa9082052366f3508b69 89c6e36938c27b572573b06d1b35db210bfda99b d5af460403d3949ba266f5c74f051247cd7ce752
This bug was referenced in samba v4-16-stable (Release samba-4.16.4): f706dcd5ddc13f7e615a7d503420693d1ee45eb2 3bd5df466cb567be8c673eb20cfe903f1950a700 a0efc5bc0aeff42563660cd68ba4dcb85d609bc6 7cc2b1ac55390cefca0644534939329b49a9535a 82bfffcdc3cd2ae5f71f5cc18bf862ac88ee038a 5f32710d6787bbf821a37f786a3e82360b7b7660 06c7f3d3f672646b2e0e556693df83761e8dc4e1 c84eb0e673640aeb391766bda50ec7649a75e4d9 8a4f07c2ca2dc153a3c5fc635ac261d372c62fde 705e7ff46d61338e0529c2ac6ce2245d399d27d5 63d6af6ed70a0e9581f851c46c921f1024c7515d 99bbd95a1d6d96b33e9af310e8c0788440e51845 393c18b53ec88e18239b9fa2c1e6ef2009a75ad5 eade23880ec8484530ca19a929bae7c437eafc7e b8d97f5bd5566996a5fb9def4d0ee3fb8b21974b ff66f68a11c87531648c907ae2a7a6753868bc03 9895018b64c56c6e5a291c0ae90f3fc33e26e0ef 8c0f421852dfcde31ef94e3af182e438a3bc460f a46dd2846f37ec7d64716c8e68d53cf1ab5e4f67
This bug was referenced in samba v4-14-test: 1b38a28bcaebdae0128518605a422a194747a60f f6c5a60336de8fd67a2ef371dd2ee4cf75c53904 f7fad997cc06a14c9ffd101b26e16598f334148b 695c662bdc286d7a4699025f00656f8339ceecd8 ae7dd875cd4362ed4346716db493164c421b889f 13fe7e013eccca2c86258084f4443ddb7abaf089 5c41e20fae268e04aa05e821c7f388ea090727af 668825ad56ff70715c626bc3209a6868409e4969 450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2 29ec8b2369b5f5e2a660a3165d2528982514a0f2 3a8da51396f3bf9d4caf8dbd4e75a0314aa47046 cf9e37604409ba0c3c5904af40beb2975c309ad4 cf749fac346ef59c91a9ea87f5e7ddec2e5649c7 198256e2184897300e1cea4343437c3b7b6f74ad 6c4fd575d706b2695090941ad7947b30abdb9071 95afbc2da9b541fb8f2eebdcd411f5873d1675ac 4b61092459b403b2945daa9082052366f3508b69 89c6e36938c27b572573b06d1b35db210bfda99b d5af460403d3949ba266f5c74f051247cd7ce752
This bug was referenced in samba v4-16-test: f706dcd5ddc13f7e615a7d503420693d1ee45eb2 3bd5df466cb567be8c673eb20cfe903f1950a700 a0efc5bc0aeff42563660cd68ba4dcb85d609bc6 7cc2b1ac55390cefca0644534939329b49a9535a 82bfffcdc3cd2ae5f71f5cc18bf862ac88ee038a 5f32710d6787bbf821a37f786a3e82360b7b7660 06c7f3d3f672646b2e0e556693df83761e8dc4e1 c84eb0e673640aeb391766bda50ec7649a75e4d9 8a4f07c2ca2dc153a3c5fc635ac261d372c62fde 705e7ff46d61338e0529c2ac6ce2245d399d27d5 63d6af6ed70a0e9581f851c46c921f1024c7515d 99bbd95a1d6d96b33e9af310e8c0788440e51845 393c18b53ec88e18239b9fa2c1e6ef2009a75ad5 eade23880ec8484530ca19a929bae7c437eafc7e b8d97f5bd5566996a5fb9def4d0ee3fb8b21974b ff66f68a11c87531648c907ae2a7a6753868bc03 9895018b64c56c6e5a291c0ae90f3fc33e26e0ef 8c0f421852dfcde31ef94e3af182e438a3bc460f a46dd2846f37ec7d64716c8e68d53cf1ab5e4f67
This bug was referenced in samba v4-15-test: b0d3fd37a8884cf18f9c2bffc416035747d49977 e21702d20b6d4507708791c5a6a674b8bdadaab0 3bbb7bc57f0de9dfe8fa979b7e122cafc4f9c139 39db18962f5368957293cf678e4e7249a8b81ca8 3852adddff6df4d9f6f4cc1add11b06c272d29ef b9e880b3d9cf5666947cae60adc0846385b04f54 2815de0510e222bc93f5b602b2cdd5c51f8adeb4 e56d66f729ba1713e59b2fb938cc09e69831ac0e 6fc3d93b4fe81be8e8f134c46d461d5815edda91 2ee46c16d2aa706b686b50ccb66a2a3ad9852c50 b1003099c202d05b7d3f570fe313039aebdec3f9 38c83abffd325ee23649c190b8ffb3d27a2bdb68 481a70c37464d356f60a30c5f51ffae755c4e6f0 9da789c73dd6675789b93fc0df0dfc8b274a86c3 298884abb35db7b6a8c6100dfd7bb8b57b1117fd 22bd1bc2d7308167ea316c6b48f130d378ab4c8b be9945a4d8e774e8255dd9ae0ed29c9a953ce3ff b7e3cb83005ef28c70dc8d64cd0a57ba80ae9f4e 63d353e7b5ef235a86bf6df595951dc831108234
This bug was referenced in samba master: b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6 714cadfc4049454d76e37932377cfa3d9a6f464d 48eb3354c5f823715755c74a96f34c7607e400d3 a5a2fc4259ccdd9409e604756e36ee380c30f896 888d58f43344afd6c199cd62be5e56f0f6174720 18bd6dafb576a58440d5c4ba6fff86dfe510bd98 332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed 6a2ec50bfdb1b1178e764c6395e6220a1400c51f 192d597c2f2025845c3cd478fab9d72299c075bd 86698b313e74c37ba75da22d69b740b812b1c10c 1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96 f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0 4e2e767a78b5e94ecc8833ea6cd05f875c37dfed e0c135e6c146b4bbbfbf9642c1b9c2d05c091963 bbfbbb9f6483d113c7b428109ee00c1c1aab4b02 ce3b7b27a370e1f1299e8a60bf776082e2057a87 fc03cf9f4547bf8164f61138d0211b866d36a956 6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42 0d8995910f9846d38f705abcaa19dede98294f58 958f2bce695c3721a23cd7e81575da181be83828
This bug was referenced in samba v4-17-stable: b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6 714cadfc4049454d76e37932377cfa3d9a6f464d 48eb3354c5f823715755c74a96f34c7607e400d3 a5a2fc4259ccdd9409e604756e36ee380c30f896 888d58f43344afd6c199cd62be5e56f0f6174720 18bd6dafb576a58440d5c4ba6fff86dfe510bd98 332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed 6a2ec50bfdb1b1178e764c6395e6220a1400c51f 192d597c2f2025845c3cd478fab9d72299c075bd 86698b313e74c37ba75da22d69b740b812b1c10c 1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96 f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0 4e2e767a78b5e94ecc8833ea6cd05f875c37dfed e0c135e6c146b4bbbfbf9642c1b9c2d05c091963 bbfbbb9f6483d113c7b428109ee00c1c1aab4b02 ce3b7b27a370e1f1299e8a60bf776082e2057a87 fc03cf9f4547bf8164f61138d0211b866d36a956 6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42 0d8995910f9846d38f705abcaa19dede98294f58 958f2bce695c3721a23cd7e81575da181be83828
This bug was referenced in samba v4-17-test: b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6 714cadfc4049454d76e37932377cfa3d9a6f464d 48eb3354c5f823715755c74a96f34c7607e400d3 a5a2fc4259ccdd9409e604756e36ee380c30f896 888d58f43344afd6c199cd62be5e56f0f6174720 18bd6dafb576a58440d5c4ba6fff86dfe510bd98 332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed 6a2ec50bfdb1b1178e764c6395e6220a1400c51f 192d597c2f2025845c3cd478fab9d72299c075bd 86698b313e74c37ba75da22d69b740b812b1c10c 1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96 f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0 4e2e767a78b5e94ecc8833ea6cd05f875c37dfed e0c135e6c146b4bbbfbf9642c1b9c2d05c091963 bbfbbb9f6483d113c7b428109ee00c1c1aab4b02 ce3b7b27a370e1f1299e8a60bf776082e2057a87 fc03cf9f4547bf8164f61138d0211b866d36a956 6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42 0d8995910f9846d38f705abcaa19dede98294f58 958f2bce695c3721a23cd7e81575da181be83828
Removing embargo. Samba's behaviour (TGT cannot be used to change a password) is correct, and Microsoft MSRC has indicated that the windows behaviour may change to address this in the future.