[PATCH] s4:kdc: add aes key support for trusted domains

Andrew Bartlett abartlet at samba.org
Mon Mar 9 21:55:50 MDT 2015 

On Thu, 2014-12-18 at 21:12 +0100, Stefan (metze) Metzmacher wrote:
> Hi,
> 
> here's a patch to add support to provide aes key for cross-forest
> kerberos tickets.
> 
> Please review and push.

G'Day,

This patch was merged into master as
8dd37327b02eaea33915a9cd206667981b8df872

I've been looking over this so that I can include it as part of bug
11142 (because doing so allows all the other patches to land cleanly,
without manual fixups), and in doing a by-eye review, I think I've found
a regression.  

The patch changes where we call 
krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
from at the bottom of the function, to just BEFORE this block:

       if (direction == INBOUND) {
                password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");

        } else { /* OUTBOUND */
                dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
                /* replace realm */
                realm = strupper_talloc(mem_ctx, dnsdomain);
                password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
        }

Was this deliberate?  

I'm thinking this really needs an automated test, like the krb5.kdc
tests.  The attached two patches should help us add a test like krb5.kdc
in the rpc.lsa.trusted.domains test.  

My thought is to work out which trust types produce Kerberos principals
we can obtain tickets to, and then get at least an arcfour-hmac-md5
ticket to them, validating the result with krb5_rd_req() against a
keyblock.

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-torture-Run-lsa.trusted.domains-auth-tests-against-s.patch
Type: text/x-patch
Size: 1475 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150310/849470e2/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-torture-lsa-Allow-rpc.lsa.trusted.domains-to-run-suc.patch
Type: text/x-patch
Size: 1606 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150310/849470e2/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150310/849470e2/attachment.pgp>

More information about the samba-technical mailing list