Bug 15492 - Kerberos TGS-REQ with User2User does not work for normal accounts
Summary: Kerberos TGS-REQ with User2User does not work for normal accounts
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.19.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-10 13:34 UTC by Stefan Metzmacher
Modified: 2023-11-27 12:12 UTC (History)
3 users (show)

See Also:


Attachments
Patches for v4-19-test (8.05 KB, patch)
2023-10-17 05:43 UTC, Stefan Metzmacher
abartlet: review+
Details
Patches for v4-19-test (8.05 KB, patch)
2023-10-25 07:45 UTC, Jule Anger
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2023-10-10 13:34:59 UTC
E.g. Apple Kerberos SSO uses a Kerberos User2User TGS-REQ in order to
get a PAC for a user, instead of getting a PAC using a TGS-REQ for the machine account.

If the account is not a computer and does not have a servicePrincipalName
attribute we don't allow it to act as a server, because it would allow
offline attack against the password of the user.

However Kerberos User2User is exactly designed for that, so that
the session key of the additional ticket is used instead of
the password of the user account.

So our current logic is too strict.
Comment 1 Samba QA Contact 2023-10-16 15:39:13 UTC
This bug was referenced in samba master:

c99fe118fdf11c641d74a51d33b52ac411db95f5
cbb8145d0c58b34b76a579afd81f0e19ec7106b6
bf79979f847de36db9da9646a396cdfe6b0e1c6f
Comment 2 Stefan Metzmacher 2023-10-17 05:43:23 UTC
Created attachment 18159 [details]
Patches for v4-19-test
Comment 3 Andrew Bartlett 2023-10-17 06:00:21 UTC
Comment on attachment 18159 [details]
Patches for v4-19-test

I note here on the bug that the line "(cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6)" is significant.

The third_party/heimdal tree in 4.19 is no longer a match for the indicated lorikeet-heimdal commit, it is maintained in-tree from here as we don't have multiple branches of lorikeet-heimdal.
Comment 4 Jule Anger 2023-10-25 07:45:37 UTC
Created attachment 18176 [details]
Patches for v4-19-test

The previous patches didn't apply. I suspect the patches were in the wrong order. In Master, the third patch of the previous patches comes is first.
I have only changed the order. Please check.
Comment 5 Jule Anger 2023-11-07 12:49:41 UTC
Pushed to autobuild-v4-19-test.
Comment 6 Samba QA Contact 2023-11-07 14:01:06 UTC
This bug was referenced in samba v4-19-test:

166035b7c557b0d3ef61eaaa85a24bc0b805d8c3
94fa28979065556a8c0fa71095d87a15c9c6488c
3b649ba044c8d287bc179c3f17ee850eb5dae820
Comment 7 Jule Anger 2023-11-07 15:25:23 UTC
Closing out bug report.

Thanks!
Comment 8 Samba QA Contact 2023-11-27 12:12:27 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.3):

166035b7c557b0d3ef61eaaa85a24bc0b805d8c3
94fa28979065556a8c0fa71095d87a15c9c6488c
3b649ba044c8d287bc179c3f17ee850eb5dae820