Bug 15492 - Kerberos TGS-REQ with User2User does not work for normal accounts
Summary: Kerberos TGS-REQ with User2User does not work for normal accounts
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.19.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Depends on:
Reported: 2023-10-10 13:34 UTC by Stefan Metzmacher
Modified: 2023-11-27 12:12 UTC (History)
3 users (show)

See Also:

Patches for v4-19-test (8.05 KB, patch)
2023-10-17 05:43 UTC, Stefan Metzmacher
abartlet: review+
Patches for v4-19-test (8.05 KB, patch)
2023-10-25 07:45 UTC, Jule Anger
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2023-10-10 13:34:59 UTC
E.g. Apple Kerberos SSO uses a Kerberos User2User TGS-REQ in order to
get a PAC for a user, instead of getting a PAC using a TGS-REQ for the machine account.

If the account is not a computer and does not have a servicePrincipalName
attribute we don't allow it to act as a server, because it would allow
offline attack against the password of the user.

However Kerberos User2User is exactly designed for that, so that
the session key of the additional ticket is used instead of
the password of the user account.

So our current logic is too strict.
Comment 1 Samba QA Contact 2023-10-16 15:39:13 UTC
This bug was referenced in samba master:

Comment 2 Stefan Metzmacher 2023-10-17 05:43:23 UTC
Created attachment 18159 [details]
Patches for v4-19-test
Comment 3 Andrew Bartlett 2023-10-17 06:00:21 UTC
Comment on attachment 18159 [details]
Patches for v4-19-test

I note here on the bug that the line "(cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6)" is significant.

The third_party/heimdal tree in 4.19 is no longer a match for the indicated lorikeet-heimdal commit, it is maintained in-tree from here as we don't have multiple branches of lorikeet-heimdal.
Comment 4 Jule Anger 2023-10-25 07:45:37 UTC
Created attachment 18176 [details]
Patches for v4-19-test

The previous patches didn't apply. I suspect the patches were in the wrong order. In Master, the third patch of the previous patches comes is first.
I have only changed the order. Please check.
Comment 5 Jule Anger 2023-11-07 12:49:41 UTC
Pushed to autobuild-v4-19-test.
Comment 6 Samba QA Contact 2023-11-07 14:01:06 UTC
This bug was referenced in samba v4-19-test:

Comment 7 Jule Anger 2023-11-07 15:25:23 UTC
Closing out bug report.

Comment 8 Samba QA Contact 2023-11-27 12:12:27 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.3):