The branch, v4-19-test has been updated
via 3b649ba044c s4:kdc: fix user2user tgs-requests for normal user
accounts
via 94fa2897906 third_party/heimdal kdc: introduce
HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit
a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))
via 166035b7c55 tests/krb5/kdc_tgs_tests: add user2user tests using a
normal user account
from ba252e247c5 s3:winbindd: Improve logging for failover scenarios in
winbindd_cm.c
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test
- Log -----------------------------------------------------------------
commit 3b649ba044c8d287bc179c3f17ee850eb5dae820
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 11 15:58:22 2023 +0200
s4:kdc: fix user2user tgs-requests for normal user accounts
User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.
In addition User2User also asserts that client and server
are the same account (cecked based on the sid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224
(cherry picked from commit bf79979f847de36db9da9646a396cdfe6b0e1c6f)
Autobuild-User(v4-19-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-19-test): Tue Nov 7 14:00:20 UTC 2023 on atb-devel-224
commit 94fa28979065556a8c0fa71095d87a15c9c6488c
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Oct 16 12:33:15 2023 +1300
third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import
lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.
But for User2User the account password is not used,
so it is safe to return the server entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
[abart...@samba.org Adapted to be an import from lorikeet-heimdal as
requested]
(cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6)
commit 166035b7c557b0d3ef61eaaa85a24bc0b805d8c3
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 11 15:54:15 2023 +0200
tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/db-glue.c | 30 +++++++++++++++++++++++++++---
source4/kdc/sdb.h | 4 +++-
third_party/heimdal/kdc/krb5tgs.c | 7 ++++++-
third_party/heimdal/lib/hdb/hdb.h | 1 +
4 files changed, 37 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 5894b47ecd9..a55f66e94c7 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -624,6 +624,24 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context
context,
}
}
+ if (flags & SDB_F_USER2USER_PRINCIPAL) {
+ /*
+ * User2User uses the session key
+ * from the additional ticket,
+ * so we just provide random keys
+ * here in order to make sure
+ * we never expose the user password
+ * keys.
+ */
+ ret = samba_kdc_set_random_keys(context,
+ supported_enctypes,
+ &entry->keys);
+
+ *supported_enctypes_out = supported_enctypes & ENC_ALL_TYPES;
+
+ goto out;
+ }
+
if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT)
&& (userAccountControl & UF_SMARTCARD_REQUIRED)) {
ret = samba_kdc_set_random_keys(context,
@@ -1093,6 +1111,7 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
const struct authn_kerberos_client_policy *authn_client_policy = NULL;
const struct authn_server_policy *authn_server_policy = NULL;
int64_t enforced_tgt_lifetime_raw;
+ const bool user2user = (flags & SDB_F_USER2USER_PRINCIPAL);
ZERO_STRUCTP(entry);
@@ -1174,12 +1193,17 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
*/
entry->flags.force_canonicalize = true;
- /* Windows 2008 seems to enforce this (very sensible) rule by
+ /*
+ * Windows 2008 seems to enforce this (very sensible) rule by
* default - don't allow offline attacks on a user's password
* by asking for a ticket to them as a service (encrypted with
- * their probably patheticly insecure password) */
+ * their probably pathetically insecure password)
+ *
+ * But user2user avoids using the keys bases on the password,
+ * so we can allow it.
+ */
- if (entry->flags.server
+ if (entry->flags.server && !user2user
&& lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service",
true)) {
if (!is_computer && !ldb_msg_find_attr_as_string(msg,
"servicePrincipalName", NULL)) {
entry->flags.server = 0;
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index e59d22434fd..d2fb67bd9e7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -120,6 +120,7 @@ struct sdb_entry {
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
#define SDB_F_ARMOR_PRINCIPAL 262144 /* fetch is for the client of an armor
ticket */
+#define SDB_F_USER2USER_PRINCIPAL 524288/* fetch is for the server of a
user2user tgs-req */
#define SDB_F_HDB_MASK (SDB_F_DECRYPT | \
SDB_F_GET_CLIENT| \
@@ -130,7 +131,8 @@ struct sdb_entry {
SDB_F_KVNO_SPECIFIED | \
SDB_F_FOR_AS_REQ | \
SDB_F_FOR_TGS_REQ | \
- SDB_F_ARMOR_PRINCIPAL)
+ SDB_F_ARMOR_PRINCIPAL| \
+ SDB_F_USER2USER_PRINCIPAL)
/* This is not supported by HDB */
#define SDB_F_FORCE_CANON 16384 /* force canonicalization */
diff --git a/third_party/heimdal/kdc/krb5tgs.c
b/third_party/heimdal/kdc/krb5tgs.c
index 79dbe6622f4..e7f0e1e49dd 100644
--- a/third_party/heimdal/kdc/krb5tgs.c
+++ b/third_party/heimdal/kdc/krb5tgs.c
@@ -1380,6 +1380,7 @@ tgs_build_reply(astgs_request_t priv,
Key *tkey_sign;
int flags = HDB_F_FOR_TGS_REQ;
+ int server_flags;
int result;
@@ -1401,6 +1402,10 @@ tgs_build_reply(astgs_request_t priv,
if (b->kdc_options.canonicalize)
flags |= HDB_F_CANON;
+ server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags;
+ if (b->kdc_options.enc_tkt_in_skey)
+ server_flags |= HDB_F_USER2USER_PRINCIPAL;
+
if (s == NULL) {
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
_kdc_set_const_e_text(priv, "No server in request");
@@ -1438,7 +1443,7 @@ server_lookup:
_kdc_free_ent(context, serverdb, priv->server);
priv->server = NULL;
ret = _kdc_db_fetch(context, config, priv->server_princ,
- HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags,
+ server_flags,
NULL, &serverdb, &priv->server);
priv->serverdb = serverdb;
if (ret == HDB_ERR_NOT_FOUND_HERE) {
diff --git a/third_party/heimdal/lib/hdb/hdb.h
b/third_party/heimdal/lib/hdb/hdb.h
index 6534766a18c..bd40e5a5769 100644
--- a/third_party/heimdal/lib/hdb/hdb.h
+++ b/third_party/heimdal/lib/hdb/hdb.h
@@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_F_SYNTHETIC_OK 0x10000 /* synthetic principal for PKINIT or
GSS preauth OK */
#define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a
normal principal) */
#define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor
ticket */
+#define HDB_F_USER2USER_PRINCIPAL 0x80000 /* fetch is for the server of a
user2user tgs-req */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
--
Samba Shared Repository
