[PATCHES] limit kerberos encryption types used by winbindd

Alexander Bokovoy ab at samba.org
Sun Jul 24 12:49:16 UTC 2016 

On Sun, 24 Jul 2016, Ira Cooper wrote:
> On Sun, Jul 24, 2016 at 6:17 AM, Uri Simchoni <uri at samba.org> wrote:
> 
> > Hi,
> >
> > The attached patch set adds an smb.conf parameter which controls the
> > Kerberos etypes placed in the krb5.conf file generated by winbindd and
> > the net command (for some sub-commands such as net ads testjoin).
> >
> > It enables:
> > 1. limiting the encryption types to AES at the client side to prevent
> > downgrade attacks.
> >
> > 2. limiting encryption to RC4 to work around an issue with an RODC and a
> > mixed env of 2003R2 and 2008R2 DCs.
> >
> > 1/4 - adds the parameter
> > 2/4 - modify building of private krb5.conf to use the parameter
> > 3/4 - a Heimdal fix for GSSAPI TGS requests which ignore krb5.conf (also
> > sent upstream, still no resolution)
> > 4/4 - a tshark-based test to ensure only configured etypes are being
> > used in the actual Kerberos exchanges.
> >
> > Caveats:
> > - Not tested with MIT, just with Heimdal (+1 to get those MIT patches in
> > and have an MIT-based testenv!)
> > - The test suite uses tshark and silently succeeds if it's not
> > installed. This is so to avoid breaking people's dev env. It seems to be
> > installed on sn-devel-1(0|4)4 so this arrangement will cause the test to
> > run in autobuild, but it's not ideal and I'd appreciate suggestions on
> > that.
> >
> 
> Right now the MIT build is broken:
> 
> 
> default/auth/credentials/credentials_krb5_7.o: In function
> `cli_credentials_shallow_ccache':
> /builddir/build/BUILD/samba-4.5.0/bin/../auth/credentials/credentials_krb5.c:766:
> undefined reference to `krb5_cc_copy_cache'
> collect2: error: ld returned 1 exit status
> Waf: Leaving directory `/builddir/build/BUILD/samba-4.5.0/bin'
> Build failed:  -> task failed (err #1):
>     {task: cc_link
> srv_keytab_8.o,credentials_1.o,secrets_6.o,credentials_krb5_7.o,credentials_ntlm_9.o,credentials_secrets_8.o,kerberos_util_6.o
> -> libsamba-credentials.so}
> Makefile:8: recipe for target 'all' failed
> make: *** [all] Error 1
> 
> I'd be glad to compile your patch on F24, but well... This is a problem :).
Attached patch should help.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 69685be87be76ad7f85370bc1f657bb6b5b04f0c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Sun, 24 Jul 2016 15:47:33 +0300
Subject: [PATCH] Wrap krb5_cc_copy_creds and krb5_cc_copy_cache

Heimdal and MIT Kerberos have different API to copy credentials from a
ccache. Wrap it via lib/krb5_wrap/.

Signed-off-by: Alexander Bokovoy <ab at samba.org>
---
 auth/credentials/credentials_krb5.c     |  4 ++--
 lib/krb5_wrap/krb5_samba.c              | 12 ++++++++++++
 lib/krb5_wrap/krb5_samba.h              |  3 +++
 source4/heimdal_build/wscript_configure |  1 +
 wscript_configure_system_mitkrb5        |  1 +
 5 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 0bd6595..82b6de9 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -763,8 +763,8 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
 
 	TALLOC_FREE(ccache_name);
 
-	ret = krb5_cc_copy_cache(ccc->smb_krb5_context->krb5_context,
-				 old_ccc->ccache, ccc->ccache);
+	ret = smb_krb5_cc_copy_creds(ccc->smb_krb5_context->krb5_context,
+				     old_ccc->ccache, ccc->ccache);
 	if (ret != 0) {
 		TALLOC_FREE(ccc);
 		return ret;
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 8064f17..2943b33 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3039,6 +3039,18 @@ krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...)
 }
 #endif
 
+krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
+				       krb5_ccache incc, krb5_ccache outcc)
+{
+#ifdef HAVE_KRB5_CC_COPY_CACHE /* Heimdal */
+	return krb5_cc_copy_cache(context, incc, outcc);
+#elif defined(HAVE_KRB5_CC_COPY_CREDS)
+	return krb5_cc_copy_creds(context, incc, outcc);
+#else
+#error UNKNOWN_KRB5_CC_COPY_CACHE_OR_CREDS_FUNCTION
+#endif
+}
+
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
  int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index f988858..2d31619 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -396,6 +396,9 @@ int smb_krb5_principal_get_type(krb5_context context,
 krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...);
 #endif
 
+krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
+				       krb5_ccache incc, krb5_ccache outcc);
+
 #endif /* HAVE_KRB5 */
 
 int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 79b461c..67ac34b 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -104,6 +104,7 @@ conf.define('HAVE_INITIALIZE_KRB5_ERROR_TABLE', 1)
 conf.define('HAVE_KRB5_ADDRESSES', 1)
 conf.define('HAVE_KRB5_AUTH_CON_SETKEY', 1)
 conf.define('HAVE_KRB5_CC_GET_LIFETIME', 1)
+conf.define('HAVE_KRB5_CC_COPY_CACHE', 1)
 conf.define('HAVE_KRB5_CREATE_CHECKSUM', 1)
 conf.define('HAVE_KRB5_CRYPTO', 1)
 conf.define('HAVE_KRB5_CRYPTO_DESTROY', 1)
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 0d47ccb..57a729d 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -118,6 +118,7 @@ conf.CHECK_FUNCS('''
        krb5_get_init_creds_keyblock krb5_get_init_creds_keytab
        krb5_make_principal krb5_build_principal_alloc_va
        krb5_cc_get_lifetime krb5_cc_retrieve_cred
+       krb5_cc_copy_creds
        krb5_free_checksum_contents krb5_c_make_checksum krb5_create_checksum
        krb5_config_get_bool_default krb5_get_profile
        krb5_data_copy
-- 
2.7.4

More information about the samba-technical mailing list