eUPN and Kerberos PAC issues

Andrew Bartlett abartlet at samba.org
Tue Mar 17 22:13:13 MDT 2015 

On Mon, 2015-03-16 at 10:35 +0100, Stefan (metze) Metzmacher wrote:
> Am 16.03.2015 um 01:48 schrieb Andrew Bartlett:
> > On Sun, 2015-03-15 at 22:55 +0100, Stefan (metze) Metzmacher wrote:
> >> Hi Andrew,
> >>
> >>>>> I don't see the additional tests in your autobuild.  Are you planning on
> >>>>> pushing those later?
> >>>>
> >>>> There was a problem with the s4member env.
> >>>>
> >>>> I've fixed the bug, see
> >>>> https://git.samba.org/?p=metze/samba-autobuild/.git;a=commitdiff;h=272ab25b540f8e2a718fbdff5acc6e73798fc415
> >>>> and pushed everything.
> >>>
> >>> Thank you so much for looking into this, and sorry for the bother!
> >>>
> >>> I'm really pleased with how the KDC and our AD support is improving, and
> >>> being validated.  Thanks for all your efforts in this area.
> >>
> >> What about the following two patches.
> > 
> > The gensec_gssapi patch looks reasonable, pushed.
> > 
> > The second I would still really like a test for, because of how fragile
> > this area is.
> 
> What happens currently is the following:
> 
> The given principal by the caller of samba_kdc_trust_message2entry() is
> "krbtgt/S4XDOM.BASE at W2012R2-L4.BASE"
> and we set entry_ex->entry.principal to "krbtgt/S4XDOM.BASE at S4XDOM.BASE".
> 
> The main _kdc_tgs_rep() uses krbtgt->entry->principal in tgs_build_reply(),
> like this:
> 
> 1763        /* Now refetch the primary krbtgt, and get the current kvno (the
> 1764         * sign check may have been on an old kvno, and the server may
> 1765         * have been an incoming trust) */
> 1766        ret = krb5_make_principal(context, &krbtgt_principal,
> 1767
> krb5_principal_get_comp_string(context,
> 1768
> krbtgt->entry.principal,
> 1769                                                                 1),
> 1770                                  KRB5_TGS_NAME,
> (gdb) l
> 1771
> krb5_principal_get_comp_string(context,
> 1772
> krbtgt->entry.principal,
> 1773                                                                 1),
> NULL);
> 1774        if(ret) {
> 1775            kdc_log(context, config, 0,
> 1776                        "Failed to generate krbtgt principal");
> 1777            goto out;
> 1778        }
> 1779
> 1780        ret = _kdc_db_fetch(context, config, krbtgt_principal,
> HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
> 
> krbtgt_principal is "krbtgt/S4XDOM.BASE at S4XDOM.BASE",
> the realm of krbtgt->entry->principal doesn't matter.
> 
> krbtgt_out->entry.principal is also "krbtgt/S4XDOM.BASE at S4XDOM.BASE",
> which is used to sign the PAC. While krbtgt->entry was used to validate
> the PAC.
> 
> The only thing that differs seem to be confusing log messages and
> confusing values seen within a debugger.
> I don't know how we could test this automatically.

I'm just looking for something that checks we can get that ticket at
all, and (if possible for a ticket in that direction) that it has the
right value by decrypting it.  

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150318/1a5783e3/attachment.pgp>

More information about the samba-technical mailing list