Hello team, We are experiencing Active Directory interoperability issues for the MIT Kerberos 1.20 release, which is introducing generation of PAC for all tickets by default. There are two scenarios:
* Cross-realm AD TGS request from an MIT Kerberos client (realm trust)[1]
* Cross-realm S4U2Self request for a FreeIPA service to impersonate an AD user
(forest trust)[2]
In both cases, a TGS-REQ[3][4] against AD using the cross-realm TGT results in
a generic error (MS-SFU 4.2 step 3[5] in S4U2Self case). We suspect these two
failures may have the same underlying cause, because of the "e-data" attribute
from the KRB_ERR_GENERIC message[6][7]:
SEQUENCE {
SEQUENCE {
[1] {
INTEGER 136
}
[2] {
OCTET STRING
...
}
}
}
The octet string is different, but the integer is the same in both scenarios.
According to the MS-KILE specification, this piece of data should be a
KERB-ERROR-DATA structure[8]. However the 136 integer do not match any of the
documented "data-type" values.
This error is most likely related to the PAC, because in the realm trust case,
the cross-realm TGS-REQ works in case PAC support is disable on the MIT KDC
(i.e. the MIT TGT does not contain a PAC).
Could you please give us more details about KERB-ERROR-DATA code 136, and check
if you see anything wrong in the PACs that are being used in these 2 scenarios?
--
Julien Rische
Software Engineer
Red Hat
[1] krb5_1_20_mit_ad_realm_trust.(pcap|keytab) files in attachment
[2] krb5_1_20_ipa_ad_trust_s4u2self.(pcapng|keytab) files in attachment
[3] krb5_1_20_mit_ad_realm_trust.pcap packet no. 7
[4] krb5_1_20_ipa_ad_trust_s4u2self.pcapng packet no. 11
[5]
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/f35b6902-6f5e-4cd0-be64-c50bbaaf54a5
[6] e-data in krb5_1_20_mit_ad_realm_trust.pcap packet no. 8 or
krb5_1_20_mit_ad_realm_trust_edata.blob in attachment
[7] e-data in krb5_1_20_ipa_ad_trust_s4u2self.pcapng packet no. 12 or
krb5_1_20_ipa_ad_trust_s4u2self_edata.blob in attachment
[8]
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/25fabd02-560d-4c1f-8f42-b32e9d97996a
krb5_1_20_mit_ad_realm_trust.keytab
Description: Binary data
krb5_1_20_mit_ad_realm_trust_edata.blob
Description: Binary data
krb5_1_20_ipa_ad_trust_s4u2self_edata.blob
Description: Binary data
krb5_1_20_mit_ad_realm_trust.pcap
Description: application/vnd.tcpdump.pcap
krb5_1_20_ipa_ad_trust_s4u2self.keytab
Description: Binary data
krb5_1_20_ipa_ad_trust_s4u2self.pcapng
Description: application/pcapng
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
