autobuild[sn-devel-104]: intermittent test failure detected

autobuild autobuild at samba.org
Sun May 8 10:02:58 UTC 2016


The autobuild test system (on sn-devel-104) has detected an intermittent failing test in 
the current master tree.

The autobuild log of the failure is available here:

   http://git.samba.org/autobuild.flakey.sn-devel-104/2016-05-08-1202/flakey.log

The samba build logs are available here:

   http://git.samba.org/autobuild.flakey.sn-devel-104/2016-05-08-1202/samba.stderr
   http://git.samba.org/autobuild.flakey.sn-devel-104/2016-05-08-1202/samba.stdout
  
The top commit at the time of the failure was:

commit 6379737b7ddc6ccb752238c5820cc62e76a8da17
Author: Uri Simchoni <uri at samba.org>
Date:   Thu May 5 23:40:22 2016 +0300

    heimdal: encode/decode kvno as signed integer
    
    This patch changes the encoding/decoding of kvno (key version number)
    in blobs and packets to signed integer, for compatibility with Windows.
    Reportedly, MIT Kerberos does the same.
    
    This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599
    in the heimdal tree.
    
    According to the Kerberos spec (RFC 4120 5.2.9), the kvno field
    in encrypted data object is an unsigned integer that fits in
    32 bits. The Heimdal Kerberos component bundled with Samba
    conforms to this. However, Windows deviates from the standard
    and encodes kvno as a signed integer, and this creates
    interoperability issues.
    
    ASN.1 DER has no special encoding for unsigned integer. A 32-bit
    unsigned integer is encoded as a signed integer, so while a signed
    32-bit integer (covering the range of -0x80000000..0x7fffffff) is
    encoded using up to 4 bytes, an unsigned integer (covering
    0..0xffffffff) could require 5 bytes.
    
    Normally, kvno for a given account starts at 1 and increments on
    password changes. Kerberos defined this as unsigned because there's
    no meaning for negative version numbers, so the standard writers figured
    4 billion versions is better than 2 billion. It was not
    expected for a kvno to really go past 0x7fffffff and the disctinction
    usually does not matter. However, RODCs use kvnos which
    have the most-significant bit set.
    
    In Active Directory, RODCs have a private secret for the krbtgt,
    because the assumption is that the RODC is less secure, and
    recovering the domain krbtgt secret from the RODC would compromise
    the security of the entire domain. The kvno field is being used
    to identify the private krbtgt account that owns the key - the
    upper 16 bits are the RODC id, and the lower 16 bits identify
    the key version number for this specific RODC. It's common to
    have an RODC id greater than 0x8000, and therefore to have a
    kvno larger than 0x7fffffff, which would be DER-encoded using
    5 bytes.
    
    Windows encodes kvno as signed integer - basically taking the
    32 bits and treating them as a signed integer rather than an
    unsigned integer. This means that in Windows a kvno can
    always be encoded using 4 bytes, and Windows DCs reject a kvno
    encoded using more than 4 bytes without even generating an error
    response (the DC assumes it's an attack).
    
    Heimdal re-encodes the TGT when it creates a TGS request. Obviously
    it cannot decode and encode the encrypted parts but it does re-encode
    the plain parts, which include the kvno. That leads to a 5-byte
    kvno in the TGS request, which is rejected without an error
    response.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900
    
    Signed-off-by: Uri Simchoni <uri at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Sat May  7 21:14:21 CEST 2016 on sn-devel-144



More information about the samba-cvs mailing list