Bug 15482 - The KDC handles ‘krbtgt@realm’ principals incorrectly
Summary: The KDC handles ‘krbtgt@realm’ principals incorrectly
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.19.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jennifer Sutton
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-22 00:23 UTC by Jennifer Sutton
Modified: 2023-10-26 02:27 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jennifer Sutton 2023-09-22 00:23:56 UTC 
The KDC doesn’t consider principals of the form ‘krbtgt@realm’ — note the subtle distinction from ‘krbtgt/realm@realm’ — to be TGS principals. It will still issue TGTs to such principals, but these TGTs will have various anomalies: for example, they will not contain REQUESTER_SID PAC buffers; and if the client requests the PAC not to be issued, they will not even contain a PAC.
Comment 1 Andreas Schneider 2023-10-24 05:34:52 UTC 
Is this an issue in our glue layer or Heimdal code?
Comment 2 Jennifer Sutton 2023-10-24 06:17:27 UTC 
(In reply to Andreas Schneider from comment #1)
Both. I’ve opened MR 3282 to address this, but it needs a few things fixed up so that it can pass CI, and a new Heimdal import.
Comment 3 Samba QA Contact 2023-10-26 02:27:04 UTC 
This bug was referenced in samba master:

f266f5c670b4338e38ed42adc8aa81e5fa580ec1
3917a1995c319a70828b7b29866a6db1fb42e637
800f3203b1dd61531e7b861738558e751e45f8af
9a0c5ee4aefac943ee21e93af643b44e336c3563
865e4f0f8cb0f15da5d5cf8cc62d6bf7c57a8d1c
6d7a05bf780481a2792ff87ae635fb91e1f0c640
7b68f751be14cfbbab49ffa0084cc72e41d0a3f5
ddef0e5e1f63775cd22ee3b3febc6f765abbebf8
122117357722445526124ec5ecf9e152bc8e2c87
ea6d2ddb66ec28097c1fe47e2d0a9ab8c1f3e7c6
d57f3bdcd3374b9661571e5e815be93c666a47cf