From 0f64f1ad2118e5f33697bafb3d31c1692b9a6f18 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 16 Oct 2023 12:33:15 +1300 Subject: [PATCH 1/3] third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) This allows HDB backends to do special handling for User2User TGS-REQs. The main reason is to let the HDB_F_GET_SERVER lookup to succeed even for non-computer accounts. In Samba these are typically not returned in HDB_F_GET_SERVER in order to avoid generating tickets with the user password. But for User2User the account password is not used, so it is safe to return the server entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett [abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested] (cherry picked from commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6) --- third_party/heimdal/kdc/krb5tgs.c | 7 ++++++- third_party/heimdal/lib/hdb/hdb.h | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 79dbe6622f46..e7f0e1e49dd5 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -1380,6 +1380,7 @@ tgs_build_reply(astgs_request_t priv, Key *tkey_sign; int flags = HDB_F_FOR_TGS_REQ; + int server_flags; int result; @@ -1401,6 +1402,10 @@ tgs_build_reply(astgs_request_t priv, if (b->kdc_options.canonicalize) flags |= HDB_F_CANON; + server_flags = HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags; + if (b->kdc_options.enc_tkt_in_skey) + server_flags |= HDB_F_USER2USER_PRINCIPAL; + if (s == NULL) { ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; _kdc_set_const_e_text(priv, "No server in request"); @@ -1438,7 +1443,7 @@ server_lookup: _kdc_free_ent(context, serverdb, priv->server); priv->server = NULL; ret = _kdc_db_fetch(context, config, priv->server_princ, - HDB_F_GET_SERVER | HDB_F_DELAY_NEW_KEYS | flags, + server_flags, NULL, &serverdb, &priv->server); priv->serverdb = serverdb; if (ret == HDB_ERR_NOT_FOUND_HERE) { diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h index 6534766a18cf..bd40e5a57690 100644 --- a/third_party/heimdal/lib/hdb/hdb.h +++ b/third_party/heimdal/lib/hdb/hdb.h @@ -78,6 +78,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_F_SYNTHETIC_OK 0x10000 /* synthetic principal for PKINIT or GSS preauth OK */ #define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a normal principal) */ #define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor ticket */ +#define HDB_F_USER2USER_PRINCIPAL 0x80000 /* fetch is for the server of a user2user tgs-req */ /* hdb_capability_flags */ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -- 2.34.1 From 0bce532ad0f2f1acaf8fe8a748b0a72fcd357656 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 Oct 2023 15:58:22 +0200 Subject: [PATCH 2/3] s4:kdc: fix user2user tgs-requests for normal user accounts User2User tgs requests use the session key of the additional ticket instead of the long term keys based on the password. In addition User2User also asserts that client and server are the same account (cecked based on the sid). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224 (cherry picked from commit bf79979f847de36db9da9646a396cdfe6b0e1c6f) --- selftest/knownfail.d/krb5_user2user | 1 - source4/kdc/db-glue.c | 30 ++++++++++++++++++++++++++--- source4/kdc/sdb.h | 4 +++- 3 files changed, 30 insertions(+), 5 deletions(-) delete mode 100644 selftest/knownfail.d/krb5_user2user diff --git a/selftest/knownfail.d/krb5_user2user b/selftest/knownfail.d/krb5_user2user deleted file mode 100644 index 44e2f8d97299..000000000000 --- a/selftest/knownfail.d/krb5_user2user +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 5894b47ecd9e..a55f66e94c7f 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -624,6 +624,24 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context, } } + if (flags & SDB_F_USER2USER_PRINCIPAL) { + /* + * User2User uses the session key + * from the additional ticket, + * so we just provide random keys + * here in order to make sure + * we never expose the user password + * keys. + */ + ret = samba_kdc_set_random_keys(context, + supported_enctypes, + &entry->keys); + + *supported_enctypes_out = supported_enctypes & ENC_ALL_TYPES; + + goto out; + } + if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) && (userAccountControl & UF_SMARTCARD_REQUIRED)) { ret = samba_kdc_set_random_keys(context, @@ -1093,6 +1111,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, const struct authn_kerberos_client_policy *authn_client_policy = NULL; const struct authn_server_policy *authn_server_policy = NULL; int64_t enforced_tgt_lifetime_raw; + const bool user2user = (flags & SDB_F_USER2USER_PRINCIPAL); ZERO_STRUCTP(entry); @@ -1174,12 +1193,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, */ entry->flags.force_canonicalize = true; - /* Windows 2008 seems to enforce this (very sensible) rule by + /* + * Windows 2008 seems to enforce this (very sensible) rule by * default - don't allow offline attacks on a user's password * by asking for a ticket to them as a service (encrypted with - * their probably patheticly insecure password) */ + * their probably pathetically insecure password) + * + * But user2user avoids using the keys bases on the password, + * so we can allow it. + */ - if (entry->flags.server + if (entry->flags.server && !user2user && lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) { if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) { entry->flags.server = 0; diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h index e59d22434fd6..d2fb67bd9e72 100644 --- a/source4/kdc/sdb.h +++ b/source4/kdc/sdb.h @@ -120,6 +120,7 @@ struct sdb_entry { #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ #define SDB_F_ARMOR_PRINCIPAL 262144 /* fetch is for the client of an armor ticket */ +#define SDB_F_USER2USER_PRINCIPAL 524288/* fetch is for the server of a user2user tgs-req */ #define SDB_F_HDB_MASK (SDB_F_DECRYPT | \ SDB_F_GET_CLIENT| \ @@ -130,7 +131,8 @@ struct sdb_entry { SDB_F_KVNO_SPECIFIED | \ SDB_F_FOR_AS_REQ | \ SDB_F_FOR_TGS_REQ | \ - SDB_F_ARMOR_PRINCIPAL) + SDB_F_ARMOR_PRINCIPAL| \ + SDB_F_USER2USER_PRINCIPAL) /* This is not supported by HDB */ #define SDB_F_FORCE_CANON 16384 /* force canonicalization */ -- 2.34.1 From 36a014098101499e701ec0b25ed60f891494aa5f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 Oct 2023 15:54:15 +0200 Subject: [PATCH 3/3] tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher --- selftest/knownfail.d/krb5_user2user | 1 + 1 file changed, 1 insertion(+) create mode 100644 selftest/knownfail.d/krb5_user2user diff --git a/selftest/knownfail.d/krb5_user2user b/selftest/knownfail.d/krb5_user2user new file mode 100644 index 000000000000..44e2f8d97299 --- /dev/null +++ b/selftest/knownfail.d/krb5_user2user @@ -0,0 +1 @@ +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req -- 2.34.1