eUPN and Kerberos PAC issues

Andrew Bartlett abartlet at samba.org
Tue Mar 10 22:07:10 MDT 2015 

On Wed, 2015-03-11 at 16:41 +1300, Andrew Bartlett wrote:
> On Wed, 2015-03-11 at 14:01 +1300, Andrew Bartlett wrote:
> > On Wed, 2015-03-11 at 00:43 +0100, Stefan (metze) Metzmacher wrote:
> > > Am 10.03.2015 um 23:28 schrieb Andrew Bartlett:
> > > > On Tue, 2015-03-10 at 16:23 +0100, Stefan (metze) Metzmacher wrote:
> > > > 
> > > >> But while testing I found some additional problems with enterprise
> > > >> principals,
> > > >> see the attached patches.
> > > > 
> > > > Thanks.  What did you do to trigger these?  Did it happen on the server,
> > > > or (as I'm assuming) on the client?  Does it trigger against Windows as
> > > > the server, or Samba?  Unless canonicalise was forced off (like I do in
> > > > the krb5.kdc tests), how do we get an enterprise principal in the PAC?  
> > > 
> > > I did the following:
> > > 
> > > kinit -E administrator at W2012R2-L4.BASE
> > > kvno cifs/ub1204-161.s4xdom.base
> > > 
> > > => that generated an error "realm found in 'short' principal"
> > > Because the windows kdc added administrator at W2012R2-L4.BASE in the PAC.
> > > 
> > > While
> > > 
> > > kinit administrator at W2012R2-L4.BASE
> > > kvno cifs/ub1204-161.s4xdom.base
> > > 
> > > worked fine, as there's only "administrator" in the PAC.
> > > 
> > > I'd also another bug.
> > > 
> > > kinit -E administrator at S4XDOM.BASE
> > > kvno cifs/w2012r2-183.w2012r2-l4.base
> > > failed with message altered.
> > > 
> > > While it worked with
> > > kinit -C -E administrator at S4XDOM.BASE
> > > kvno cifs/w2012r2-183.w2012r2-l4.base
> > > 
> > > and
> > > kinit administrator at S4XDOM.BASE
> > > kvno cifs/w2012r2-183.w2012r2-l4.base
> > > 
> > > Maybe this is also fixed, but I need to retest that.
> > > 
> > > > In the meantime, I'll follow though and finish the tests by making our
> > > > code validate the tickets being obtained. 
> > > 
> > 
> > Thanks for the detailed explanation metze, that gives me the right
> > information to build the test with. 
> > 
> > One question:  How did the patch help, as it was against Heimdal and
> > kvno is only in MIT?
> > 
> > Or did you fix it in your local MIT and port that to Heimdal, or
> > something else?
> 
> Ahh!  Now I understand it.  You were hitting a check in the MIT krb5
> client, that you then fixed in the server, and in turn fixed in the
> client to match, even if that wasn't triggered in your testing.  The
> tests I include in the patches attached prove this your changes are
> indeed correct (tested by reverting them).  These tests also pass
> against Win2012R2. 
> 
> Please review/push!

The attached versions of the patches have a BUG URL for the overall eUPN
support patch. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-kerberos-Do-a-string-comparison-in-kerberos_dec.patch
Type: text/x-patch
Size: 2699 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/35d69098/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-torture-krb5-Test-accepting-the-ticket-to-ensure-PAC.patch
Type: text/x-patch
Size: 7329 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/35d69098/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-heimdal-lib-krb5-allow-enterprise-principals-in-veri.patch
Type: text/x-patch
Size: 1020 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/35d69098/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-heimdal-lib-krb5-let-build_logon_name-use-KRB5_PRINC.patch
Type: text/x-patch
Size: 1136 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/35d69098/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/35d69098/attachment.pgp>

More information about the samba-technical mailing list