eUPN and Kerberos PAC issues

Andrew Bartlett abartlet at samba.org
Tue Mar 10 21:41:40 MDT 2015 

On Wed, 2015-03-11 at 14:01 +1300, Andrew Bartlett wrote:
> On Wed, 2015-03-11 at 00:43 +0100, Stefan (metze) Metzmacher wrote:
> > Am 10.03.2015 um 23:28 schrieb Andrew Bartlett:
> > > On Tue, 2015-03-10 at 16:23 +0100, Stefan (metze) Metzmacher wrote:
> > > 
> > >> But while testing I found some additional problems with enterprise
> > >> principals,
> > >> see the attached patches.
> > > 
> > > Thanks.  What did you do to trigger these?  Did it happen on the server,
> > > or (as I'm assuming) on the client?  Does it trigger against Windows as
> > > the server, or Samba?  Unless canonicalise was forced off (like I do in
> > > the krb5.kdc tests), how do we get an enterprise principal in the PAC?  
> > 
> > I did the following:
> > 
> > kinit -E administrator at W2012R2-L4.BASE
> > kvno cifs/ub1204-161.s4xdom.base
> > 
> > => that generated an error "realm found in 'short' principal"
> > Because the windows kdc added administrator at W2012R2-L4.BASE in the PAC.
> > 
> > While
> > 
> > kinit administrator at W2012R2-L4.BASE
> > kvno cifs/ub1204-161.s4xdom.base
> > 
> > worked fine, as there's only "administrator" in the PAC.
> > 
> > I'd also another bug.
> > 
> > kinit -E administrator at S4XDOM.BASE
> > kvno cifs/w2012r2-183.w2012r2-l4.base
> > failed with message altered.
> > 
> > While it worked with
> > kinit -C -E administrator at S4XDOM.BASE
> > kvno cifs/w2012r2-183.w2012r2-l4.base
> > 
> > and
> > kinit administrator at S4XDOM.BASE
> > kvno cifs/w2012r2-183.w2012r2-l4.base
> > 
> > Maybe this is also fixed, but I need to retest that.
> > 
> > > In the meantime, I'll follow though and finish the tests by making our
> > > code validate the tickets being obtained. 
> > 
> 
> Thanks for the detailed explanation metze, that gives me the right
> information to build the test with. 
> 
> One question:  How did the patch help, as it was against Heimdal and
> kvno is only in MIT?
> 
> Or did you fix it in your local MIT and port that to Heimdal, or
> something else?

Ahh!  Now I understand it.  You were hitting a check in the MIT krb5
client, that you then fixed in the server, and in turn fixed in the
client to match, even if that wasn't triggered in your testing.  The
tests I include in the patches attached prove this your changes are
indeed correct (tested by reverting them).  These tests also pass
against Win2012R2. 

Please review/push!

Thanks!

> Thanks!
> 
> Andrew Bartlett
> 

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-kerberos-Do-a-string-comparison-in-kerberos_dec.patch
Type: text/x-patch
Size: 2644 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/0f5e0f05/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-torture-krb5-Test-accepting-the-ticket-to-ensure-PAC.patch
Type: text/x-patch
Size: 7275 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/0f5e0f05/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-heimdal-lib-krb5-allow-enterprise-principals-in-veri.patch
Type: text/x-patch
Size: 966 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/0f5e0f05/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-heimdal-lib-krb5-let-build_logon_name-use-KRB5_PRINC.patch
Type: text/x-patch
Size: 1083 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/0f5e0f05/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/0f5e0f05/attachment.pgp>

More information about the samba-technical mailing list