[PATCHES] limit kerberos encryption types used by winbindd
Alexander Bokovoy
ab at samba.org
Sun Jul 24 12:49:16 UTC 2016
On Sun, 24 Jul 2016, Ira Cooper wrote:
> On Sun, Jul 24, 2016 at 6:17 AM, Uri Simchoni <uri at samba.org> wrote:
>
> > Hi,
> >
> > The attached patch set adds an smb.conf parameter which controls the
> > Kerberos etypes placed in the krb5.conf file generated by winbindd and
> > the net command (for some sub-commands such as net ads testjoin).
> >
> > It enables:
> > 1. limiting the encryption types to AES at the client side to prevent
> > downgrade attacks.
> >
> > 2. limiting encryption to RC4 to work around an issue with an RODC and a
> > mixed env of 2003R2 and 2008R2 DCs.
> >
> > 1/4 - adds the parameter
> > 2/4 - modify building of private krb5.conf to use the parameter
> > 3/4 - a Heimdal fix for GSSAPI TGS requests which ignore krb5.conf (also
> > sent upstream, still no resolution)
> > 4/4 - a tshark-based test to ensure only configured etypes are being
> > used in the actual Kerberos exchanges.
> >
> > Caveats:
> > - Not tested with MIT, just with Heimdal (+1 to get those MIT patches in
> > and have an MIT-based testenv!)
> > - The test suite uses tshark and silently succeeds if it's not
> > installed. This is so to avoid breaking people's dev env. It seems to be
> > installed on sn-devel-1(0|4)4 so this arrangement will cause the test to
> > run in autobuild, but it's not ideal and I'd appreciate suggestions on
> > that.
> >
>
> Right now the MIT build is broken:
>
>
> default/auth/credentials/credentials_krb5_7.o: In function
> `cli_credentials_shallow_ccache':
> /builddir/build/BUILD/samba-4.5.0/bin/../auth/credentials/credentials_krb5.c:766:
> undefined reference to `krb5_cc_copy_cache'
> collect2: error: ld returned 1 exit status
> Waf: Leaving directory `/builddir/build/BUILD/samba-4.5.0/bin'
> Build failed: -> task failed (err #1):
> {task: cc_link
> srv_keytab_8.o,credentials_1.o,secrets_6.o,credentials_krb5_7.o,credentials_ntlm_9.o,credentials_secrets_8.o,kerberos_util_6.o
> -> libsamba-credentials.so}
> Makefile:8: recipe for target 'all' failed
> make: *** [all] Error 1
>
> I'd be glad to compile your patch on F24, but well... This is a problem :).
Attached patch should help.
--
/ Alexander Bokovoy
-------------- next part --------------
>From 69685be87be76ad7f85370bc1f657bb6b5b04f0c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Sun, 24 Jul 2016 15:47:33 +0300
Subject: [PATCH] Wrap krb5_cc_copy_creds and krb5_cc_copy_cache
Heimdal and MIT Kerberos have different API to copy credentials from a
ccache. Wrap it via lib/krb5_wrap/.
Signed-off-by: Alexander Bokovoy <ab at samba.org>
---
auth/credentials/credentials_krb5.c | 4 ++--
lib/krb5_wrap/krb5_samba.c | 12 ++++++++++++
lib/krb5_wrap/krb5_samba.h | 3 +++
source4/heimdal_build/wscript_configure | 1 +
wscript_configure_system_mitkrb5 | 1 +
5 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 0bd6595..82b6de9 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -763,8 +763,8 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
TALLOC_FREE(ccache_name);
- ret = krb5_cc_copy_cache(ccc->smb_krb5_context->krb5_context,
- old_ccc->ccache, ccc->ccache);
+ ret = smb_krb5_cc_copy_creds(ccc->smb_krb5_context->krb5_context,
+ old_ccc->ccache, ccc->ccache);
if (ret != 0) {
TALLOC_FREE(ccc);
return ret;
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 8064f17..2943b33 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3039,6 +3039,18 @@ krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...)
}
#endif
+krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
+ krb5_ccache incc, krb5_ccache outcc)
+{
+#ifdef HAVE_KRB5_CC_COPY_CACHE /* Heimdal */
+ return krb5_cc_copy_cache(context, incc, outcc);
+#elif defined(HAVE_KRB5_CC_COPY_CREDS)
+ return krb5_cc_copy_creds(context, incc, outcc);
+#else
+#error UNKNOWN_KRB5_CC_COPY_CACHE_OR_CREDS_FUNCTION
+#endif
+}
+
#else /* HAVE_KRB5 */
/* this saves a few linking headaches */
int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index f988858..2d31619 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -396,6 +396,9 @@ int smb_krb5_principal_get_type(krb5_context context,
krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...);
#endif
+krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
+ krb5_ccache incc, krb5_ccache outcc);
+
#endif /* HAVE_KRB5 */
int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 79b461c..67ac34b 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -104,6 +104,7 @@ conf.define('HAVE_INITIALIZE_KRB5_ERROR_TABLE', 1)
conf.define('HAVE_KRB5_ADDRESSES', 1)
conf.define('HAVE_KRB5_AUTH_CON_SETKEY', 1)
conf.define('HAVE_KRB5_CC_GET_LIFETIME', 1)
+conf.define('HAVE_KRB5_CC_COPY_CACHE', 1)
conf.define('HAVE_KRB5_CREATE_CHECKSUM', 1)
conf.define('HAVE_KRB5_CRYPTO', 1)
conf.define('HAVE_KRB5_CRYPTO_DESTROY', 1)
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 0d47ccb..57a729d 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -118,6 +118,7 @@ conf.CHECK_FUNCS('''
krb5_get_init_creds_keyblock krb5_get_init_creds_keytab
krb5_make_principal krb5_build_principal_alloc_va
krb5_cc_get_lifetime krb5_cc_retrieve_cred
+ krb5_cc_copy_creds
krb5_free_checksum_contents krb5_c_make_checksum krb5_create_checksum
krb5_config_get_bool_default krb5_get_profile
krb5_data_copy
--
2.7.4
More information about the samba-technical
mailing list