Bug 15726 - 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as rfc 8009 etypes are used
Summary: 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as rfc 8009 etypes ar...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Build (show other bugs)
Version: 4.21.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-27 11:08 UTC by Stefan Metzmacher
Modified: 2024-10-14 11:33 UTC (History)
2 users (show)

See Also:


Attachments
Patch for v4-21-test (1.16 KB, text/plain)
2024-10-01 09:06 UTC, Stefan Metzmacher
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2024-09-27 11:08:41 UTC
commit 8e931fce126e8c1128da893c806702731c08758a
Author:     Alexander Bokovoy <ab@samba.org>
AuthorDate: Thu Jun 22 09:56:12 2023 +0300
Commit:     Andrew Bartlett <abartlet@samba.org>
CommitDate: Mon Apr 8 03:00:39 2024 +0000

    Do not fail checksums for RFC8009 types
    
    While Active Directory does not support yet RFC 8009 encryption and
    checksum types, it is possible to verify these checksums when running
    with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
    domain controller which uses them by default.
    
    [2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
    ../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
      smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
    [2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
    class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
      check_pac_checksum: Checksum Type 20 is not supported
    [2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
    class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
      PAC Decode: Failed to verify the service signature: Invalid argument
    
    Signed-off-by: Alexander Bokovoy <ab@samba.org>
    Reviewed-by: Andreas Schneider <asn@samba.org>
    Reviewed-by: Andrew Bartlett <abartlet@samba.org>

silently introduced the dependency for MIT 1.16 (if --with-system-mitkrb5 is used)
Comment 1 Samba QA Contact 2024-09-30 17:04:03 UTC
This bug was referenced in samba master:

5bcaafb757f704b2985057a5d3b1ad5fd42ae9f7
Comment 2 Stefan Metzmacher 2024-10-01 09:06:02 UTC
Created attachment 18451 [details]
Patch for v4-21-test
Comment 3 Andreas Schneider 2024-10-07 06:57:54 UTC
Jule, can you please apply the patch?
Comment 4 Jule Anger 2024-10-07 08:30:41 UTC
Pushed to autobuild-v4-21-test.
Comment 5 Samba QA Contact 2024-10-09 10:08:04 UTC
This bug was referenced in samba v4-21-test:

66a21e46d0b7d0b4b3cd710ed10d3945706eba87
Comment 6 Jule Anger 2024-10-09 14:20:37 UTC
Closing out bug report.

Thanks!
Comment 7 Samba QA Contact 2024-10-14 11:33:30 UTC
This bug was referenced in samba v4-21-stable (Release samba-4.21.1):

66a21e46d0b7d0b4b3cd710ed10d3945706eba87