[cifs-protocol] [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO

Edgar Olougouna edgaro at microsoft.com
Mon May 9 19:58:33 UTC 2016 

Uri,
The real workaround is a fix – which you already coded and tested - that enables interop across implementations in the industry e.g. Windows, MIT. The 5 bytes kvno issue is a legacy that surfaced when Windows introduced RODC which leveraged the higher bytes of the kvno.  Statistically 50% of RODCs will have an Rodc-ID >= 32768.
When promoting a Windows server to RODC, the administrator does not have the option to control or choose its Rodc-Id. The RODC identifier is generated by the system and is random between 1 and 0xFFFF, but it is unique across the domain. Only SYSTEM has the write privilege on the msDS-SecondaryKrbTgtNumber attribute; this is a system only attribute, and is not meant to be modified.

Thanks,
Edgar

-----Original Message-----
From: Uri Simchoni [mailto:uri at samba.org] 
Sent: Saturday, May 7, 2016 3:45 AM
To: Edgar Olougouna <edgaro at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>; MSSolve Case Email <casemail at microsoft.com>
Subject: Re: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO

One last thing - for the sake of reproducing the issue in the future or as a workaround, is there a way to control the RODC id when promoting a server to RODC (i.e. to make the rodc id < 32768 or >= 32768)?

Thanks,
Uri.
On 05/06/2016 08:31 PM, Edgar Olougouna wrote:
> Uri,
> Windows KILE key version numbers are signed 32-bit integers. Windows KDC does not accept 5 bytes Kvno and does not return errors on “malformed” packets as that can be used to setup a DoS flood attack. 
> The first 16 bits of the kvno, including the most significant bit, are an unsigned 16-bit number that SHOULD identify the RODC (if it’s RODC). The remaining 16 bits SHOULD be the version number of the key.
> KILE has a deviation from [RFC4120] which defines kvno as Uint32. 
> For interop, MIT implementation also uses the signed 32-bit integer.
> 
> Maybe I use add a few lines to my blog.
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fblogs
> .msdn.microsoft.com%2fopenspecification%2f2011%2f05%2f11%2fnotes-on-ke
> rberos-kvno-in-windows-rodc-environment%2f&data=01%7c01%7cedgaro%40mic
> rosoft.com%7c6927d4f4baff493f70c508d37653dc0f%7c72f988bf86f141af91ab2d
> 7cd011db47%7c1&sdata=aUr0KWmnHzSMcdob5n9B0Tzx6Ww8v9YxMbCaZ1B4Vrw%3d
> 
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Edgar Olougouna
> Sent: Friday, May 6, 2016 10:57 AM
> To: Uri Simchoni <uri at samba.org>
> Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>; 
> MSSolve Case Email <casemail at microsoft.com>
> Subject: RE: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO
> 
> Uri,
> I am reviewing this and will follow-up soon.
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Kamil Sykora
> Sent: Thursday, May 5, 2016 8:13 PM
> To: Uri Simchoni <uri at samba.org>
> Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>; 
> MSSolve Case Email <casemail at microsoft.com>
> Subject: RE: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO
> 
> [BCC: dochelp, CC: casemail]
> 
> Hello Uri,
> 
> Thank you for your question. I have created incident 116050614132786 to track your issue. One of our team members will contact you shortly.
> 
> Thanks,
> Kamil
>  
> Kamil Sykora
> Microsoft Open Specifications
> 
> 
> -----Original Message-----
> From: Uri Simchoni [mailto:uri at samba.org]
> Sent: Thursday, May 5, 2016 5:26 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>
> Subject: [MS-KILE] - DER encoding of KVNO
> 
> 
> Hi,
> 
> This is in reference to Samba bug
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fbugzilla.samba.org%2fshow_bug.cgi%3fid%3d11900&data=01%7c01%7cedgaro%40microsoft.com%7c6927d4f4baff493f70c508d37653dc0f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xWuRT54TOTL5ZoOMOD5Lfio4Fx6LTfKmANmZBTDjZuI%3d. I seek clarification on encoding of Kerberos tickets.
> 
> We've found that when generating a TGS request, the Kerberos library that's bundled with Samba encodes a KVNO larger than 0x7fffffff using  5 bytes, and this seems to upset Windows domain controllers (2003R2 and 2008R2), which seem to expect a maximum of 4 bytes in the KVNO. We've demonstrated that encoding the KVNO in 4 bytes fixes the issue.
> 
> We easily get to such high KVNO when working against an RODC which is configured to cache our machine account password. In that case the TGT we get has a high KVNO because it's made up of two fields. It appears that we decode and re-encode the TGT (the unencrypted parts) before sending it in a TGS-REQ.
> 
> According to RFC 4120, a KVNO is an unsigned 32-bit integer, and according to DER, such an integer in the range of 0x80000000-0xFFFFFFFF has to be encoded using 5 bytes, so it seems Samba's in compliance with the standard here.
> 
> Can you confirm that Windows expects up to 4 bytes in the KVNO? If yes, can it be said that Windows is too restrictive here?
> 
> Thanks,
> Uri.
>

More information about the cifs-protocol mailing list