[PATCH] s4:kdc: add aes key support for trusted domains

Tue Mar 10 09:23:11 MDT 2015

Am 10.03.2015 um 04:55 schrieb Andrew Bartlett:
> On Thu, 2014-12-18 at 21:12 +0100, Stefan (metze) Metzmacher wrote:
>> Hi,
>>
>> here's a patch to add support to provide aes key for cross-forest
>> kerberos tickets.
>>
>> Please review and push.
> 
> G'Day,
> 
> This patch was merged into master as
> 8dd37327b02eaea33915a9cd206667981b8df872
> 
> I've been looking over this so that I can include it as part of bug
> 11142 (because doing so allows all the other patches to land cleanly,
> without manual fixups), and in doing a by-eye review, I think I've found
> a regression.  
> 
> The patch changes where we call 
> krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
> from at the bottom of the function, to just BEFORE this block:
> 
>        if (direction == INBOUND) {
>                 password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
> 
>         } else { /* OUTBOUND */
>                 dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
>                 /* replace realm */
>                 realm = strupper_talloc(mem_ctx, dnsdomain);
>                 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
>         }
> 
> Was this deliberate?  

No, but seems to have no effect, as we use the raw given 'principal'
variable in order to calculate the salt.

I guess I'll provide a patch to fix this.

But while testing I found some additional problems with enterprise
principals,
see the attached patches.

I'll do more testing in the next days.

I've integrated your attached fixes to my master4-forest branch
and added some more for rpc.lsa.forest.trust.

> I'm thinking this really needs an automated test, like the krb5.kdc
> tests.  The attached two patches should help us add a test like krb5.kdc
> in the rpc.lsa.trusted.domains test.  
> 
> My thought is to work out which trust types produce Kerberos principals
> we can obtain tickets to, and then get at least an arcfour-hmac-md5
> ticket to them, validating the result with krb5_rd_req() against a
> keyblock.

I'm a bit lost looking at source4/torture/krb5/kdc.c
and source4/torture/krb5/kdc-canon.c...

I'll first try to get my ~300 patches squashed and ready.

Then we can think about direct kdc tests, but I'm not
sure how we could tests the OUTBOUND case in
samba_kdc_trust_message2entry in such a
test, as it would require a remote kdc to generate a referral ticket.
But I'll need help on that...

metze

-------------- next part --------------
From 7c360a548dbc2481952235b30b0d7bf8b9d0703c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 10 Mar 2015 15:36:01 +0100
Subject: [PATCH 1/2] heimdal:lib/krb5: allow enterprise principals in
 verify_logonname()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/heimdal/lib/krb5/pac.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c
index 91f68d5..835ea47 100644
--- a/source4/heimdal/lib/krb5/pac.c
+++ b/source4/heimdal/lib/krb5/pac.c
@@ -677,7 +677,9 @@ verify_logonname(krb5_context context,
 	    return ret;
 	}
     }
-    ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2);
+    ret = krb5_parse_name_flags(context, s,
+				KRB5_PRINCIPAL_PARSE_NO_REALM|
+				KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p2);
     free(s);
     if (ret)
 	return ret;
-- 
1.9.1


From f84dda7eafebd164b8abdae5f75e73e6dc0a4e8b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 10 Mar 2015 15:33:14 +0100
Subject: [PATCH 2/2] heimdal:lib/krb5: let build_logon_name() use
 KRB5_PRINCIPAL_UNPARSE_DISPLAY

An ENTERPRISE principal should result in 'administrator at S4XDOM.BASE'
instead of 'administrator\@S4XDOM.BASE'.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/heimdal/lib/krb5/pac.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c
index 835ea47..e8672aa 100644
--- a/source4/heimdal/lib/krb5/pac.c
+++ b/source4/heimdal/lib/krb5/pac.c
@@ -724,7 +724,9 @@ build_logon_name(krb5_context context,
     CHECK(ret, krb5_store_uint32(sp, t >> 32), out);
 
     ret = krb5_unparse_name_flags(context, principal,
-				  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &s);
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM|
+				  KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+				  &s);
     if (ret)
 	goto out;
 
-- 
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150310/d8e696d1/attachment.pgp>
