Bug 15760 - Kerberos tickets lifetime values calculated incorrectly
Summary: Kerberos tickets lifetime values calculated incorrectly
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python (show other bugs)
Version: 4.19.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-11-29 08:16 UTC by Ivan Korytov
Modified: 2024-11-29 08:16 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ivan Korytov 2024-11-29 08:16:25 UTC
While testing automatic renewal for Kerberos tickets, I decided to check samba-gpupdate ability to apply lifetime values for tickets from Group Policies.
Values allowed for lifetime have their minimum, maximum and "don’t expire" values (see https://learn.microsoft.com/ru-ru/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/kerberos-policy). They differ from Microsoft’s or aren’t processed in Samba at all.

What goes wrong (applying values from RSAT console):
- "Maximum lifetime for service ticket" value less than 60 minutes result in inability to retrieve service tickets because it converts minutes to hours by dividing minutes by 60 and stores the result as an integer (see https://github.com/samba-team/samba/blob/master/python/samba/gp/gp_sec_ext.py#L29).

2024-11-29 10:07:30.436|[I62543]| kdc:service_ticket_lifetime was changed from b'10' to 0 | {}

- "Maximum lifetime for user ticket" set to zero results to -1 internally, which gets multiplied by 24 and renewal lifetime becomes incorrect too

2024-11-29 09:56:51.944|[I48023]| kdc:user_ticket_lifetime was changed from None to -1 | {}
2024-11-29 09:56:51.945|[I55506]| kdc:renewal_lifetime was changed from None to -24 | {}

- "Maximum lifetime for user ticket renewal" set to zero results in inability to retrieve service tickets

2024-11-29 10:45:22.191|[I21553]| kdc:renewal_lifetime was changed from b'48' to 0 | {}

samba-gpupdate can't connect to a DC to remove incorrect values from internal database because it needs an LDAP service ticket. Removing /var/cache/samba/gpo.tdb and restarting service works. Setting values in /etc/samba/smb.conf doesn't override incorrect values either. No documentation is available that describes "kdc:" parameters and their limits/special values, only a mention in "gpo update command" (https://bugzilla.samba.org/show_bug.cgi?id=10461).

Example of an error when trying to run samba-gpupdate afterwards:

gse_get_client_auth_token: gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Requested effective lifetime is negative or too short](2529638923)