eUPN and Kerberos PAC issues

Sun Mar 15 15:55:12 MDT 2015

Hi Andrew,

>>> I don't see the additional tests in your autobuild.  Are you planning on
>>> pushing those later?
>>
>> There was a problem with the s4member env.
>>
>> I've fixed the bug, see
>> https://git.samba.org/?p=metze/samba-autobuild/.git;a=commitdiff;h=272ab25b540f8e2a718fbdff5acc6e73798fc415
>> and pushed everything.
> 
> Thank you so much for looking into this, and sorry for the bother!
> 
> I'm really pleased with how the KDC and our AD support is improving, and
> being validated.  Thanks for all your efforts in this area.

What about the following two patches.

metze
-------------- next part --------------
From db4c00d78a029303d52d634b834b13a1fe577570 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 13 Mar 2015 14:39:10 +0100
Subject: [PATCH 1/2] s4:auth/gensec_gssapi: let gensec_gssapi_update() return
 NT_STATUS_LOGON_FAILURE for unknown errors

The 'nt_status' variable is set to NT_STATUS_OK before.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11164

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/auth/gensec/gensec_gssapi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index c168d8a..59dd434 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -648,14 +648,14 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 					  gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
 					  gensec_gssapi_state->gss_exchange_count,
 					  gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-				return nt_status;
+				return NT_STATUS_LOGON_FAILURE;
 			}
 		} else {
 			DEBUG(1, ("GSS %s Update(%d) failed: %s\n",
 				  gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
 				  gensec_gssapi_state->gss_exchange_count,
 				  gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-			return nt_status;
+			return NT_STATUS_LOGON_FAILURE;
 		}
 		break;
 	}
-- 
1.9.1


From d16e792b8b87c8ca3f76a87ba663e5bbce55b0bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 15 Mar 2015 22:25:49 +0100
Subject: [PATCH 2/2] s4:kdc: fix realm for outgoing trusts in
 samba_kdc_trust_message2entry()

This is a regression introduced in commit
8dd37327b02eaea33915a9cd206667981b8df872.

Now we change 'realm' before calling
ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
as before commit 8dd37327b02eaea33915a9cd206667981b8df872.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/kdc/db-glue.c | 53 +++++++++++++++++++++++++--------------------------
 1 file changed, 26 insertions(+), 27 deletions(-)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8f2b361..bc82482 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -965,6 +965,32 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 					supported_enctypes);
 	}
 
+	trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
+
+	if (direction == INBOUND) {
+		password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
+
+	} else { /* OUTBOUND */
+		dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+		/* replace realm */
+		realm = strupper_talloc(mem_ctx, dnsdomain);
+		password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+	}
+
+	if (!password_val || !(trust_direction_flags & direction)) {
+		krb5_clear_error_message(context);
+		ret = HDB_ERR_NOENTRY;
+		goto out;
+	}
+
+	ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
+				       (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		krb5_clear_error_message(context);
+		ret = EINVAL;
+		goto out;
+	}
+
 	p = talloc(mem_ctx, struct samba_kdc_entry);
 	if (!p) {
 		ret = ENOMEM;
@@ -1023,33 +1049,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 
 	entry_ex->entry.valid_start = NULL;
 
-	trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
-
-	if (direction == INBOUND) {
-		password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
-
-	} else { /* OUTBOUND */
-		dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
-		/* replace realm */
-		realm = strupper_talloc(mem_ctx, dnsdomain);
-		password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
-	}
-
-	if (!password_val || !(trust_direction_flags & direction)) {
-		krb5_clear_error_message(context);
-		ret = HDB_ERR_NOENTRY;
-		goto out;
-	}
-
-	ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
-					   (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		krb5_clear_error_message(context);
-		ret = EINVAL;
-		goto out;
-	}
-
-
 	/* we need to work out if we are going to use the current or
 	 * the previous password hash.
 	 * We base this on the kvno the client passes in. If the kvno
-- 
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150315/b87c04ca/attachment.pgp>
