Bug 9272 - net ads join does not provide AES keys in host keytab
net ads join does not provide AES keys in host keytab
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control
3.6.8
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-09 12:37 UTC by Andreas Schneider
Modified: 2012-11-15 07:59 UTC (History)
2 users (show)

See Also:


Attachments
v4-0-test patch (4.29 KB, patch)
2012-10-09 12:37 UTC, Andreas Schneider
jra: review+
metze: review-
Details
v3-6-test patch (4.28 KB, patch)
2012-10-09 12:39 UTC, Andreas Schneider
jra: review+
metze: review-
Details
capture that still uses arcfour-hmac-md5 (7.15 KB, application/x-gzip)
2012-10-22 11:42 UTC, Stefan Metzmacher
no flags Details
capture that uses aes session keys (6.71 KB, application/x-gzip)
2012-10-22 11:42 UTC, Stefan Metzmacher
no flags Details
keytab to decrypt smbclient-krb5*.pcap (6.52 KB, application/octet-stream)
2012-10-22 11:43 UTC, Stefan Metzmacher
no flags Details
Additional patch for master (1.34 KB, patch)
2012-10-22 11:53 UTC, Stefan Metzmacher
no flags Details
Patches for v4-0-test (5.61 KB, patch)
2012-11-02 10:18 UTC, Stefan Metzmacher
metze: review? (asn)
gd: review+
metze: review? (abartlet)
Details
Patches for v3-6-test (5.72 KB, patch)
2012-11-02 10:19 UTC, Stefan Metzmacher
metze: review? (asn)
gd: review+
metze: review? (abartlet)
Details
patch for 3.6.x (4.86 KB, patch)
2012-11-14 12:17 UTC, Guenther Deschner
metze: review-
Details
fixed patch for 3.6.x (4.90 KB, patch)
2012-11-14 13:09 UTC, Guenther Deschner
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2012-10-09 12:37:19 UTC
When joining an AD domain with "net ads join" and smb.conf contains "kerberos method = secrets and keytab", the host keytab /etc/krb5.keytab is being created and a valid host principal of form HOSTNAME$@REALM in included in the file. However, only des-cbc-crc, des-cbc-md5, and arcfour-hmac enctypes are included, no aes256 or aes128 even in AD 2008R2 domain which has full AES support.

Aside from weaker security, with the aforementioned three enctypes things like "kinit -k -t /etc/krb5.keytab 'HOSTNAME$@REALM'" fail with the default krb5.conf (default_{tkt,tgs}_enctypes must be adjusted to be able to kinit).

"net ads join" should provide AES keys in the host keytab at least optionally if the domain controller supports AES, not only the previously mentioned three types (which are currently hard-coded in the source code).
Comment 1 Andreas Schneider 2012-10-09 12:37:54 UTC
Created attachment 8019 [details]
v4-0-test patch
Comment 2 Andreas Schneider 2012-10-09 12:39:33 UTC
Created attachment 8020 [details]
v3-6-test patch
Comment 3 Stefan Metzmacher 2012-10-09 13:25:53 UTC
Can someone please provide a network capture including a keytab file,
that shows that smb signing as client (smbclient or winbindd)
still works with this?
Comment 4 Jeremy Allison 2012-10-09 22:36:53 UTC
Comment on attachment 8019 [details]
v4-0-test patch

LGTM.
Comment 5 Jeremy Allison 2012-10-09 22:37:04 UTC
Comment on attachment 8020 [details]
v3-6-test patch

LGTM.
Comment 6 Jeremy Allison 2012-10-09 22:40:28 UTC
Ok, both these patches (for 4.0.0rc3 and 3.6.next) look good to me. They are exactly the same code that has been added to master.

However metze's concern is a valid one, in that once we use these new enctypes we may affect the code that generates the key used for SMB1 and SMB2 signing.

With that, can you hold off transferring this bug to Karolin until you have performed a test using smbclient from master connecting to a 4.0.0rc3 and a 3.6.next Samba server using both SMB1 and SMB2 with mandatory signing turned on.

This that I'm going to flag this bug as "NEEDINFO" and ask for review from asn@samba.org for both patches. Set them to '+' when you've performed this test and confirmed it all works on.

Thanks !

Jeremy.
Comment 7 Guenther Deschner 2012-10-17 12:49:54 UTC
Looking into this again.
Comment 8 Stefan Metzmacher 2012-10-22 11:40:23 UTC
Comment on attachment 8019 [details]
v4-0-test patch

The first patch is wrong,
it adds the aes types at the end, which means the kdc still gives us arcfour-hmac-md5 session keys.

See smbclient-krb5-01.pcap.gz

If I add it to before ENCTYPE_ARCFOUR_HMAC,
we'll get aes session keys
Comment 9 Stefan Metzmacher 2012-10-22 11:41:06 UTC
Comment on attachment 8020 [details]
v3-6-test patch

The first patch is wrong,
it adds the aes types at the end, which means the kdc still gives us
arcfour-hmac-md5 session keys.

See smbclient-krb5-01.pcap.gz

If I add it to before ENCTYPE_ARCFOUR_HMAC,
we'll get aes session keys
Comment 10 Stefan Metzmacher 2012-10-22 11:42:16 UTC
Created attachment 8093 [details]
capture that still uses arcfour-hmac-md5
Comment 11 Stefan Metzmacher 2012-10-22 11:42:59 UTC
Created attachment 8094 [details]
capture that uses aes session keys
Comment 12 Stefan Metzmacher 2012-10-22 11:43:52 UTC
Created attachment 8095 [details]
keytab to decrypt smbclient-krb5*.pcap
Comment 13 Stefan Metzmacher 2012-10-22 11:53:35 UTC
Created attachment 8096 [details]
Additional patch for master

Andreas or Günther please push this to master after testing with MIT.
I just used the builtin heimdal for testing.
Comment 14 Stefan Metzmacher 2012-11-02 10:18:35 UTC
Created attachment 8136 [details]
Patches for v4-0-test
Comment 15 Stefan Metzmacher 2012-11-02 10:19:29 UTC
Created attachment 8137 [details]
Patches for v3-6-test
Comment 16 Andrew Bartlett 2012-11-02 12:02:44 UTC
So, we have to remember that Samba 3.6 can't ever be permitted to accept AES tickets, as it doesn't have the new spnego, so things will break.

If we are marked as accepting AES on the KDC, this implies support for new SPNEGO.  Indeed, this was one of the major motivations for me pushing the gensec changes into the smbd code.

That said, writing AES keys into the local keytab when we join with krb5 would give the advantage of being able to use it when we deal with the machine account principal as a client.

Having extra keys that are used only in this client case is mostly harmless, and this code changes nothing about what the KDC will create tickets encrypted to.
Comment 17 Michael Osipov 2012-11-02 12:21:02 UTC
(In reply to comment #16)
> So, we have to remember that Samba 3.6 can't ever be permitted to accept AES
> tickets, as it doesn't have the new spnego, so things will break.
> 
> If we are marked as accepting AES on the KDC, this implies support for new
> SPNEGO.  Indeed, this was one of the major motivations for me pushing the
> gensec changes into the smbd code.
> 
> That said, writing AES keys into the local keytab when we join with krb5 would
> give the advantage of being able to use it when we deal with the machine
> account principal as a client.
> 
> Having extra keys that are used only in this client case is mostly harmless,
> and this code changes nothing about what the KDC will create tickets encrypted
> to.

Please keep in mind that Samba is not the only one who's using the keytab. Remember Heimdal, MIT, JGSS.

What is the new SPNEGO? Samba 3.6 does support that as far as I have seen in 'net ads join'.
Comment 18 Stefan Metzmacher 2012-11-02 13:43:58 UTC
(In reply to comment #16)
> So, we have to remember that Samba 3.6 can't ever be permitted to accept AES
> tickets, as it doesn't have the new spnego, so things will break.
> 
> If we are marked as accepting AES on the KDC, this implies support for new
> SPNEGO.  Indeed, this was one of the major motivations for me pushing the
> gensec changes into the smbd code.

But that won't happen unless we set the msDS-SupportedEncryptionTypes,
correct? We should think about adding that in net ads join for 4.0.x or 4.1.

> That said, writing AES keys into the local keytab when we join with krb5 would
> give the advantage of being able to use it when we deal with the machine
> account principal as a client.
> 
> Having extra keys that are used only in this client case is mostly harmless,
> and this code changes nothing about what the KDC will create tickets encrypted
> to.

This patches are mostly for the client side. At lease we should include them
in v4-0-test.
Comment 19 Guenther Deschner 2012-11-09 14:04:12 UTC
Comment on attachment 8137 [details]
Patches for v3-6-test

Looks good, I tested this with a 64bit win7 client in a w2k8r2 domain against a 3.6.9 samba server including this patch. 

I tested both, with and without a manual "msDS-SupportedEncryptionTypes: 31" value on the samba machine account, also with smb signing enforced and not enforced. 

It all worked and used a 32bit AES session key then.
Comment 20 Guenther Deschner 2012-11-09 14:09:04 UTC
Comment on attachment 8136 [details]
Patches for v4-0-test

Looks good, just like the 3.6 variant.
Comment 21 Stefan Metzmacher 2012-11-09 14:53:01 UTC
Karolin, please pick this for v4-0-test
Comment 22 Karolin Seeger 2012-11-12 08:22:30 UTC
(In reply to comment #21)
> Karolin, please pick this for v4-0-test

Pushed to v3-6-test and autobuild-v4-0-test.
Comment 23 Karolin Seeger 2012-11-12 10:50:36 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!
Comment 24 Guenther Deschner 2012-11-14 12:16:52 UTC
Patchset not covering all issues, in 3.6 at least.
Comment 25 Guenther Deschner 2012-11-14 12:17:45 UTC
Created attachment 8188 [details]
patch for 3.6.x
Comment 26 Stefan Metzmacher 2012-11-14 12:21:34 UTC
Comment on attachment 8188 [details]
patch for 3.6.x

In the 3rd patch you should add the new types before ENCTYPE_ARCFOUR_HMAC.
We should keep them ordered by priority.

Otherwise this looks good
Comment 27 Guenther Deschner 2012-11-14 13:09:12 UTC
Created attachment 8189 [details]
fixed patch for 3.6.x
Comment 28 Stefan Metzmacher 2012-11-14 13:20:12 UTC
Comment on attachment 8189 [details]
fixed patch for 3.6.x

Looks good
Comment 29 Stefan Metzmacher 2012-11-14 13:20:57 UTC
Karolin, please pick this to 3.6
Comment 30 Karolin Seeger 2012-11-15 07:59:23 UTC
(In reply to comment #29)
> Karolin, please pick this to 3.6

Pushed to v3-6-test.
Closing out bug report.

Thanks!