[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Fri Mar 4 14:59:01 UTC 2022
The branch, master has been updated
via e25d6c89bef WHATSNEW: Bronze bit, S4U and RBDC support with MIT Kerberos 1.20
via d1d47a55449 gitlab-ci: Run krb5 tests also with MIT Kerberos 1.20 (prerelease)
via e908bbb1b3b gitlab-ci: Print the krb5 version
via d0e4b612c24 s4:mitkdc: Implement support for Resource Based Constrained Delegation (RBCD)
via c7be3d1fffe s4:mitkdc: Implement mit_samba_check_allowed_to_delegate_from() for RBCD
via 5c4afce7bbf s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd()
via 41ffba1302b s4:auth: Also look up msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD
via 1a4d43d38ea s4:auth: Remove trailing spaces in sam.c
via ea15ecfe4d5 krb5-mit: Enable S4U client support for MIT build
via 1201147d06f s4:kdc: Implement new Microsoft forwardable flag behavior
via b20606b2915 s4:mitkdc: Add support for S4U2Self & S4U2Proxy
via f1ca16f309a s4:mitkdc: Add support for MIT Kerberos 1.20
via ea7b1caa410 s4:mitkdc: Set KRB5_KDB_NO_AUTH_DATA_REQUIRED based on sdb no_auth_data_reqd
via c9653e511d9 selftest: More tests are passing with MIT KRB5 >= 1.20
via f1ec950aeb4 s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
via cd0efd38d67 s4:kdc: Align sflags type
from cb10b8704e8 s3:script: Reformat shell scripts
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e25d6c89bef298ac8cd8c2fb7b49f6cbd4e05ba5
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jan 13 08:43:23 2022 +0100
WHATSNEW: Bronze bit, S4U and RBDC support with MIT Kerberos 1.20
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Mar 4 14:58:20 UTC 2022 on sn-devel-184
commit d1d47a5544998fa1bfe4ef20270d0cb35bb8adef
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 18 11:13:21 2022 +0100
gitlab-ci: Run krb5 tests also with MIT Kerberos 1.20 (prerelease)
This adds test against MIT Kerberos 1.20 (prerelease) in order to test
Bronze Bit, S4U and RBCD functionality supported only in current MIT Kerberos
git master. We created a Fedora COPR package for MIT KRB5 1.20 (prerelease).
MIT Kerberos 1.20 will be released in autumn 2022. As soon as MIT Kerberos 1.20
will be in a Fedora release, these runners will be removed again.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e908bbb1b3bf55011f2ee861b89b3a7b1f732af5
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 18 16:22:41 2022 +0100
gitlab-ci: Print the krb5 version
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d0e4b612c248e728b8f9575a7cca278f09ee115a
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 7 16:02:35 2021 +0100
s4:mitkdc: Implement support for Resource Based Constrained Delegation (RBCD)
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c7be3d1fffecff1d6709880b3293114a8c2d328d
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 14 11:17:15 2021 +0100
s4:mitkdc: Implement mit_samba_check_allowed_to_delegate_from() for RBCD
This just implements a call in the MIT KDB shim layer. It will be used in the
next commits in the KDB plugin.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5c4afce7bbf8845a34efcd0f83aad51c4aa7e96c
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 14 11:16:12 2021 +0100
s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd()
This will be used by the MIT KDB plugin in the next commits.
A security descriptor created by Windows looks like this:
security_descriptor: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x8004 (32772)
0: SEC_DESC_OWNER_DEFAULTED
0: SEC_DESC_GROUP_DEFAULTED
1: SEC_DESC_DACL_PRESENT
0: SEC_DESC_DACL_DEFAULTED
0: SEC_DESC_SACL_PRESENT
0: SEC_DESC_SACL_DEFAULTED
0: SEC_DESC_DACL_TRUSTED
0: SEC_DESC_SERVER_SECURITY
0: SEC_DESC_DACL_AUTO_INHERIT_REQ
0: SEC_DESC_SACL_AUTO_INHERIT_REQ
0: SEC_DESC_DACL_AUTO_INHERITED
0: SEC_DESC_SACL_AUTO_INHERITED
0: SEC_DESC_DACL_PROTECTED
0: SEC_DESC_SACL_PROTECTED
0: SEC_DESC_RM_CONTROL_VALID
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid : S-1-5-32-544
group_sid : NULL
sacl : NULL
dacl : *
dacl: struct security_acl
revision : SECURITY_ACL_REVISION_ADS (4)
size : 0x002c (44)
num_aces : 0x00000001 (1)
aces: ARRAY(1)
aces: struct security_ace
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x000f01ff (983551)
object : union security_ace_object_ctr(case 0)
trustee : S-1-5-21-3001743926-1909451141-602466370-1108
Created with the following powershell code:
$host1 = Get-ADComputer -Identity ServerA
$host2 = Get-ADComputer -Identity ServerB
Set-ADComputer $host2 -PrincipalsAllowedToDelegateToAccount $host1
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 41ffba1302b3edec1624ed888620be78e59bc813
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 8 09:19:02 2021 +0100
s4:auth: Also look up msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1a4d43d38eaea06360fccdc6013e3cf8cf951183
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 8 09:18:40 2021 +0100
s4:auth: Remove trailing spaces in sam.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ea15ecfe4d5501189e78b927e4e496dd0f1a4ce0
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Sep 27 18:35:30 2019 +0300
krb5-mit: Enable S4U client support for MIT build
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1201147d06feeba8b6ec72fb537340ba29b1b95f
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 9 07:48:13 2021 +0100
s4:kdc: Implement new Microsoft forwardable flag behavior
Allow delegation to any target if we have delegations set up, but the target is
not specified.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b20606b29152f36b23c3130e31fdc79df8bfea76
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 22 20:09:31 2021 +0100
s4:mitkdc: Add support for S4U2Self & S4U2Proxy
Pair-Programmed-With: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f1ca16f309a1794f7ce44c4112d3c0d458169158
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 4 11:53:55 2021 +0200
s4:mitkdc: Add support for MIT Kerberos 1.20
This also addresses CVE-2020-17049.
MIT Kerberos 1.20 is in pre-release state at the time writing this commit. It
will be released in autumn 2022. We need to support MIT Kerberos 1.19 till
enough distributions have been released with MIT Kerberos 1.20.
Pair-Programmed-With: Robbie Harwood <rharwood at redhat.com>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ea7b1caa4101118706b56784c1a435ed7a7a183d
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 11 11:55:12 2021 +0200
s4:mitkdc: Set KRB5_KDB_NO_AUTH_DATA_REQUIRED based on sdb no_auth_data_reqd
This needs to be set so that the MIT KDC >= 1.20 will not call the handle_pac()
function which executes the issue_pac KDB callback.
Pair-Programmed-With: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c9653e511d9e2f85f2fed5186285cdc655fb19e4
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 7 16:28:26 2021 +0200
selftest: More tests are passing with MIT KRB5 >= 1.20
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f1ec950aeb47283a504018bafa21f54c3282e70c
Author: Andreas Schneider <asn at samba.org>
Date: Tue Dec 21 12:17:11 2021 +0100
s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cd0efd38d67b266fea188fa8dc5ca8962568ae73
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 25 15:57:07 2022 +0100
s4:kdc: Align sflags type
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 32 +-
WHATSNEW.txt | 32 ++
bootstrap/.gitlab-ci.yml | 3 +
bootstrap/config.py | 28 ++
bootstrap/generated-dists/Vagrantfile | 7 +
.../{fedora35 => f35mit120}/Dockerfile | 0
.../{fedora35 => f35mit120}/bootstrap.sh | 3 +
.../{centos7 => f35mit120}/locale.sh | 0
.../{fedora35 => f35mit120}/packages.yml | 0
bootstrap/sha1sum.txt | 2 +-
lib/krb5_wrap/krb5_samba.c | 192 ++++++++
lib/krb5_wrap/krb5_samba.h | 2 -
python/samba/tests/krb5/compatability_tests.py | 9 +-
selftest/knownfail_mit_kdc | 133 +----
selftest/knownfail_mit_kdc_1_20 | 9 +
selftest/knownfail_mit_kdc_pre_1_20 | 201 ++++++++
selftest/skip_mit_kdc | 1 -
selftest/wscript | 6 +
source4/auth/kerberos/kerberos_util.c | 11 -
source4/auth/sam.c | 35 +-
source4/kdc/db-glue.c | 195 +++++++-
source4/kdc/db-glue.h | 8 +
source4/kdc/mit-kdb/kdb_samba.c | 8 +-
source4/kdc/mit-kdb/kdb_samba.h | 17 +
source4/kdc/mit-kdb/kdb_samba_policies.c | 176 ++++++-
source4/kdc/mit_samba.c | 542 +++++++++++++++++++--
source4/kdc/mit_samba.h | 22 +-
source4/kdc/sdb_to_kdb.c | 3 +
source4/selftest/tests.py | 7 +-
wscript_configure_system_mitkrb5 | 4 +
30 files changed, 1454 insertions(+), 234 deletions(-)
copy bootstrap/generated-dists/{fedora35 => f35mit120}/Dockerfile (100%)
copy bootstrap/generated-dists/{fedora35 => f35mit120}/bootstrap.sh (95%)
copy bootstrap/generated-dists/{centos7 => f35mit120}/locale.sh (100%)
copy bootstrap/generated-dists/{fedora35 => f35mit120}/packages.yml (100%)
create mode 100644 selftest/knownfail_mit_kdc_1_20
create mode 100644 selftest/knownfail_mit_kdc_pre_1_20
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 441878df949..8b2b6e8c4de 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: bac18584d47ffc1acb5a697d83f2232598b6afbf
+ SAMBA_CI_CONTAINER_TAG: 24c7cabf5c7c515ffac905cddc533a26d70abd09
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
@@ -63,6 +63,7 @@ variables:
SAMBA_CI_CONTAINER_IMAGE_opensuse152: opensuse152
SAMBA_CI_CONTAINER_IMAGE_fedora34: fedora34
SAMBA_CI_CONTAINER_IMAGE_fedora35: fedora35
+ SAMBA_CI_CONTAINER_IMAGE_f35mit120: f35mit120
SAMBA_CI_CONTAINER_IMAGE_centos7: centos7
SAMBA_CI_CONTAINER_IMAGE_centos8s: centos8s
@@ -222,6 +223,10 @@ others:
- .shared_runner_test
stage: test_only
script:
+ # Print the Kerberos version to check we ended up with the right one
+ # in the runner. We do not have configure output to recognize it
+ # otherwise.
+ - if [ -x "$(command -v krb5-config)" ]; then krb5-config --version; fi
# We unpack the artifacts file created by the .shared_template_build_only
# run we depend on
- ls -la samba-testbase.tar.gz
@@ -256,6 +261,13 @@ samba-mit-build:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora35}
stage: build_first
+samba-mit120-build:
+ extends: .shared_template_build_only
+ variables:
+ AUTOBUILD_JOB_NAME: samba-mit-build
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_f35mit120}
+ stage: build_first
+
.needs_samba-mit-build:
extends: .shared_template_test_only
variables:
@@ -264,6 +276,14 @@ samba-mit-build:
- job: samba-mit-build
artifacts: true
+.needs_samba-mit120-build:
+ extends: .shared_template_test_only
+ variables:
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_f35mit120}
+ needs:
+ - job: samba-mit120-build
+ artifacts: true
+
samba-h5l-build:
extends: .shared_template_build_only
@@ -392,6 +412,11 @@ samba-fips:
- .needs_samba-mit-build
- .private_test_only
+.needs_samba-mit120-build-private:
+ extends:
+ - .needs_samba-mit120-build
+ - .private_test_only
+
.needs_samba-h5l-build-private:
extends:
- .needs_samba-h5l-build
@@ -426,6 +451,11 @@ samba-nt4:
samba-addc-mit-1:
extends: .needs_samba-mit-build-private
+samba-addc-mit120:
+ extends: .needs_samba-mit120-build-private
+ variables:
+ AUTOBUILD_JOB_NAME: samba-addc-mit-1
+
samba-no-opath1:
extends: .needs_samba-no-opath-build-private
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6c7ab0407c8..9e36b20a39a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -16,6 +16,38 @@ UPGRADING
NEW FEATURES/CHANGES
====================
+Bronze bit and S4U support with MIT Kerberos 1.20
+-------------------------------------------------
+
+In 2020 Microsoft Security Response Team received another Kerberos-related
+report. Eventually, that led to a security update of the CVE-2020-17049,
+Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze
+Bit’. With this vulnerability, a compromised service that is configured to use
+Kerberos constrained delegation feature could tamper with a service ticket that
+is not valid for delegation to force the KDC to accept it.
+
+With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the
+‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was
+changed to allow passing more details between KDC and KDB components. When built
+against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions
+but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.
+
+In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports
+S4U2Self and S4U2Proxy Kerberos extensions.
+
+Resource Based Constrained Delegation (RBCD) support
+----------------------------------------------------
+
+Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT
+Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.
+Note that samba-tool lacks support for setting this up yet!
+
+To complete RBCD support and make it useful to Administrators we added the
+Asserted Identity [1] SID into the PAC for constrained delegation. This is
+available for Samba AD compiled with MIT Kerberos 1.20.
+
+[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
+
REMOVED FEATURES
================
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index bf41a9845b8..8e221a2b8ef 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -106,6 +106,9 @@ fedora34:
fedora35:
extends: .build_image_template
+f35mit120:
+ extends: .build_image_template
+
centos8s:
extends: .build_image_template
diff --git a/bootstrap/config.py b/bootstrap/config.py
index 8bcb9ddbb26..c853c4f0434 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -267,6 +267,23 @@ dnf install -y \
dnf clean all
"""
+DNF_BOOTSTRAP_MIT = r"""
+#!/bin/bash
+{GENERATED_MARKER}
+set -xueo pipefail
+
+dnf update -y
+dnf install -y dnf-plugins-core
+dnf copr -y enable abbra/krb5-test
+dnf update -y
+
+dnf install -y \
+ --setopt=install_weak_deps=False \
+ {pkgs}
+
+dnf clean all
+"""
+
ZYPPER_BOOTSTRAP = r"""
#!/bin/bash
{GENERATED_MARKER}
@@ -501,6 +518,17 @@ RPM_DISTS = {
'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available
}
},
+ 'f35mit120': {
+ 'docker_image': 'fedora:35',
+ 'vagrant_box': 'fedora/35-cloud-base',
+ 'bootstrap': DNF_BOOTSTRAP_MIT,
+ 'replace': {
+ 'lsb-release': 'redhat-lsb',
+ 'perl-FindBin': '',
+ 'python3-iso8601': 'python3-dateutil',
+ 'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available
+ }
+ },
'opensuse151': {
'docker_image': 'opensuse/leap:15.1',
'vagrant_box': 'opensuse/openSUSE-15.1-x86_64',
diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile
index 0bee124afa9..518535f3a61 100644
--- a/bootstrap/generated-dists/Vagrantfile
+++ b/bootstrap/generated-dists/Vagrantfile
@@ -38,6 +38,13 @@ Vagrant.configure("2") do |config|
v.vm.provision :shell, path: "debian11/locale.sh"
end
+ config.vm.define "f35mit120" do |v|
+ v.vm.box = "fedora/35-cloud-base"
+ v.vm.hostname = "f35mit120"
+ v.vm.provision :shell, path: "f35mit120/bootstrap.sh"
+ v.vm.provision :shell, path: "f35mit120/locale.sh"
+ end
+
config.vm.define "fedora34" do |v|
v.vm.box = "fedora/34-cloud-base"
v.vm.hostname = "fedora34"
diff --git a/bootstrap/generated-dists/fedora35/Dockerfile b/bootstrap/generated-dists/f35mit120/Dockerfile
similarity index 100%
copy from bootstrap/generated-dists/fedora35/Dockerfile
copy to bootstrap/generated-dists/f35mit120/Dockerfile
diff --git a/bootstrap/generated-dists/fedora35/bootstrap.sh b/bootstrap/generated-dists/f35mit120/bootstrap.sh
similarity index 95%
copy from bootstrap/generated-dists/fedora35/bootstrap.sh
copy to bootstrap/generated-dists/f35mit120/bootstrap.sh
index 0d8a3366ab9..aa77d63efa0 100755
--- a/bootstrap/generated-dists/fedora35/bootstrap.sh
+++ b/bootstrap/generated-dists/f35mit120/bootstrap.sh
@@ -7,6 +7,9 @@
set -xueo pipefail
+dnf update -y
+dnf install -y dnf-plugins-core
+dnf copr -y enable abbra/krb5-test
dnf update -y
dnf install -y \
diff --git a/bootstrap/generated-dists/centos7/locale.sh b/bootstrap/generated-dists/f35mit120/locale.sh
similarity index 100%
copy from bootstrap/generated-dists/centos7/locale.sh
copy to bootstrap/generated-dists/f35mit120/locale.sh
diff --git a/bootstrap/generated-dists/fedora35/packages.yml b/bootstrap/generated-dists/f35mit120/packages.yml
similarity index 100%
copy from bootstrap/generated-dists/fedora35/packages.yml
copy to bootstrap/generated-dists/f35mit120/packages.yml
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index aa96502dd76..bd250e98d99 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-bac18584d47ffc1acb5a697d83f2232598b6afbf
+24c7cabf5c7c515ffac905cddc533a26d70abd09
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 99809ffea27..e9eaddac75d 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2702,6 +2702,198 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return 0;
}
+
+#else /* MIT */
+
+static bool princ_compare_no_dollar(krb5_context ctx,
+ krb5_principal a,
+ krb5_principal b)
+{
+ krb5_principal mod = NULL;
+ bool cmp;
+
+ if (a->length == 1 && b->length == 1 &&
+ a->data[0].length != 0 && b->data[0].length != 0 &&
+ a->data[0].data[a->data[0].length - 1] !=
+ b->data[0].data[b->data[0].length - 1]) {
+ if (a->data[0].data[a->data[0].length - 1] == '$') {
+ mod = a;
+ mod->data[0].length--;
+ } else if (b->data[0].data[b->data[0].length - 1] == '$') {
+ mod = b;
+ mod->data[0].length--;
+ }
+ }
+
+ cmp = krb5_principal_compare_flags(ctx,
+ a,
+ b,
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
+ if (mod != NULL) {
+ mod->data[0].length++;
+ }
+
+ return cmp;
+}
+
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ krb5_ccache store_cc,
+ krb5_principal init_principal,
+ const char *init_password,
+ krb5_principal impersonate_principal,
+ const char *self_service,
+ const char *target_service,
+ krb5_get_init_creds_opt *krb_options,
+ time_t *expire_time,
+ time_t *kdc_time)
+{
+ krb5_error_code code;
+ krb5_principal self_princ = NULL;
+ krb5_principal target_princ = NULL;
+ krb5_creds *store_creds = NULL;
+ krb5_creds *s4u2self_creds = NULL;
+ krb5_creds *s4u2proxy_creds = NULL;
+ krb5_creds init_creds = {0};
+ krb5_creds mcreds = {0};
+ krb5_flags options = KRB5_GC_NO_STORE;
+ krb5_ccache tmp_cc;
+ bool s4u2proxy = false;
+ bool ok;
+
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
+ if (code != 0) {
+ return code;
+ }
+
+ code = krb5_get_init_creds_password(ctx,
+ &init_creds,
+ init_principal,
+ init_password,
+ NULL,
+ NULL,
+ 0,
+ NULL,
+ krb_options);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /*
+ * Check if we also need S4U2Proxy or if S4U2Self is
+ * enough in order to get a ticket for the target.
+ */
+ if (target_service == NULL) {
+ s4u2proxy = false;
+ } else if (strcmp(target_service, self_service) == 0) {
+ s4u2proxy = false;
+ } else {
+ s4u2proxy = true;
+ }
+
+ code = krb5_parse_name(ctx, self_service, &self_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ /*
+ * MIT lacks aliases support in S4U, for S4U2Self we require the tgt
+ * client and the request server to be the same principal name.
+ */
+ ok = princ_compare_no_dollar(ctx, init_creds.client, self_princ);
+ if (!ok) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ mcreds.client = impersonate_principal;
+ mcreds.server = init_creds.client;
+
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
+ NULL, &s4u2self_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (s4u2proxy) {
+ code = krb5_parse_name(ctx, target_service, &target_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ mcreds.client = init_creds.client;
+ mcreds.server = target_princ;
+ mcreds.second_ticket = s4u2self_creds->ticket;
+
+ code = krb5_get_credentials(ctx, options |
+ KRB5_GC_CONSTRAINED_DELEGATION,
+ tmp_cc, &mcreds, &s4u2proxy_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* Check KDC support of S4U2Proxy extension */
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
+ s4u2proxy_creds->client)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ store_creds = s4u2proxy_creds;
+ } else {
+ store_creds = s4u2self_creds;;
+
+ /* We need to save the ticket with the requested server name
+ * or the caller won't be able to find it in cache. */
+ if (!krb5_principal_compare(ctx, self_princ,
+ store_creds->server)) {
+ krb5_free_principal(ctx, store_creds->server);
+ store_creds->server = NULL;
+ code = krb5_copy_principal(ctx, self_princ,
+ &store_creds->server);
+ if (code != 0) {
+ goto done;
+ }
+ }
+ }
+
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) store_creds->times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) store_creds->times.starttime;
+ }
+
+done:
+ krb5_cc_destroy(ctx, tmp_cc);
+ krb5_free_cred_contents(ctx, &init_creds);
+ krb5_free_creds(ctx, s4u2self_creds);
+ krb5_free_creds(ctx, s4u2proxy_creds);
+ krb5_free_principal(ctx, self_princ);
+ krb5_free_principal(ctx, target_princ);
+
+ return code;
+}
#endif
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index a66b7465530..c8573f52bd9 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#ifdef SAMBA4_USES_HEIMDAL
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_ccache store_cc,
krb5_principal init_principal,
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#endif
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
#define smb_krb5_make_principal krb5_make_principal
diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py
index 44c2afd41dc..b862f381bc5 100755
--- a/python/samba/tests/krb5/compatability_tests.py
+++ b/python/samba/tests/krb5/compatability_tests.py
@@ -120,7 +120,12 @@ class SimpleKerberosTests(KDCBaseTest):
self.fail(
"(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption")
- def test_heimdal_ticket_signature(self):
+ # This tests also passes again Samba AD built with MIT Kerberos 1.20 which
+ # is not released yet.
+ #
+ # FIXME: Should be moved to to a new kdc_tgt_tests.py once MIT KRB5 1.20
+ # is released.
+ def test_ticket_signature(self):
# Ensure that a DC correctly issues tickets signed with its krbtgt key.
user_creds = self.get_client_creds()
target_creds = self.get_service_creds()
@@ -141,7 +146,7 @@ class SimpleKerberosTests(KDCBaseTest):
self.verify_ticket(service_ticket, key, service_ticket=True,
expect_ticket_checksum=True)
- def test_mit_ticket_signature(self):
+ def test_mit_pre_1_20_ticket_signature(self):
# Ensure that a DC does not issue tickets signed with its krbtgt key.
user_creds = self.get_client_creds()
target_creds = self.get_service_creds()
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index ab4976ea690..c2a35c68152 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -7,54 +7,6 @@
# MIT KDC
#
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials\(
--
Samba Shared Repository
More information about the samba-cvs
mailing list