eUPN and Kerberos PAC issues

Stefan (metze) Metzmacher metze at samba.org
Wed Mar 18 01:47:20 MDT 2015


Am 18.03.2015 um 05:13 schrieb Andrew Bartlett:
> On Mon, 2015-03-16 at 10:35 +0100, Stefan (metze) Metzmacher wrote:
>> Am 16.03.2015 um 01:48 schrieb Andrew Bartlett:
>>> On Sun, 2015-03-15 at 22:55 +0100, Stefan (metze) Metzmacher wrote:
>>>> Hi Andrew,
>>>>
>>>>>>> I don't see the additional tests in your autobuild.  Are you planning on
>>>>>>> pushing those later?
>>>>>>
>>>>>> There was a problem with the s4member env.
>>>>>>
>>>>>> I've fixed the bug, see
>>>>>> https://git.samba.org/?p=metze/samba-autobuild/.git;a=commitdiff;h=272ab25b540f8e2a718fbdff5acc6e73798fc415
>>>>>> and pushed everything.
>>>>>
>>>>> Thank you so much for looking into this, and sorry for the bother!
>>>>>
>>>>> I'm really pleased with how the KDC and our AD support is improving, and
>>>>> being validated.  Thanks for all your efforts in this area.
>>>>
>>>> What about the following two patches.
>>>
>>> The gensec_gssapi patch looks reasonable, pushed.
>>>
>>> The second I would still really like a test for, because of how fragile
>>> this area is.
>>
>> What happens currently is the following:
>>
>> The given principal by the caller of samba_kdc_trust_message2entry() is
>> "krbtgt/S4XDOM.BASE at W2012R2-L4.BASE"
>> and we set entry_ex->entry.principal to "krbtgt/S4XDOM.BASE at S4XDOM.BASE".
>>
>> The main _kdc_tgs_rep() uses krbtgt->entry->principal in tgs_build_reply(),
>> like this:
>>
>> 1763        /* Now refetch the primary krbtgt, and get the current kvno (the
>> 1764         * sign check may have been on an old kvno, and the server may
>> 1765         * have been an incoming trust) */
>> 1766        ret = krb5_make_principal(context, &krbtgt_principal,
>> 1767
>> krb5_principal_get_comp_string(context,
>> 1768
>> krbtgt->entry.principal,
>> 1769                                                                 1),
>> 1770                                  KRB5_TGS_NAME,
>> (gdb) l
>> 1771
>> krb5_principal_get_comp_string(context,
>> 1772
>> krbtgt->entry.principal,
>> 1773                                                                 1),
>> NULL);
>> 1774        if(ret) {
>> 1775            kdc_log(context, config, 0,
>> 1776                        "Failed to generate krbtgt principal");
>> 1777            goto out;
>> 1778        }
>> 1779
>> 1780        ret = _kdc_db_fetch(context, config, krbtgt_principal,
>> HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
>>
>> krbtgt_principal is "krbtgt/S4XDOM.BASE at S4XDOM.BASE",
>> the realm of krbtgt->entry->principal doesn't matter.
>>
>> krbtgt_out->entry.principal is also "krbtgt/S4XDOM.BASE at S4XDOM.BASE",
>> which is used to sign the PAC. While krbtgt->entry was used to validate
>> the PAC.
>>
>> The only thing that differs seem to be confusing log messages and
>> confusing values seen within a debugger.
>> I don't know how we could test this automatically.
> 
> I'm just looking for something that checks we can get that ticket at
> all, and (if possible for a ticket in that direction) that it has the
> right value by decrypting it.  

We'll get that when we have tests which run against two environments
which trust each other. But we need a lot of other patches before.

In the meantime can we please just push this fix for this simple regression?
So that we don't block the backport you proposed for 4.2.

Thanks!
metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150318/efe6f0c8/attachment.pgp>


More information about the samba-technical mailing list