Cross realm S4U2Self cont.
Isaac Boukris
iboukris at gmail.com
Tue Aug 7 13:20:12 UTC 2018
On Mon, Aug 6, 2018 at 3:36 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> What I still wonder is, why does it seem to be a problem only with
> s4u2self, or is it really?
> Technically it sounds like it should happen with regular tickets too,
> so I'm trying to trigger it that way (and also, to see how can it be
> tested in samba).
So i've tested using a regular ticket for the same principal, acquired
with kinit and kvno with referrals, and there was no error.
A closer look seem to indicate that, in that case windows kdc do not
send transit list so the check is skipped (transited.contents.length
== 0), and only sends it in the s4u2self case.
Not that it changes much, but it feels like i'm missing something.
> As regarding my last comment about the same issue in samba KDC side,
> I'm not so sure actually, I'm trying to test this again now.
> However, I think I found another bug in samba KDC with transitive
Well, apart of that other bug, there is the same transit-check issue
on the kdc side, twice actually.
Attached prove-of-concept patch disables them both, and with it
transitive trust works both way.
Since it is not using gss, i think we'd need some kdc configuration
option to disable transit check unconditionally.
-------------- next part --------------
From 3a6f28e7daac7168eaf08687ac5eb8c80ddb8fef Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Tue, 7 Aug 2018 15:56:23 +0300
Subject: [PATCH] wip: kdc: disable transit check
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
source4/heimdal/kdc/krb5tgs.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index de46489c105..2ec75a04aeb 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -787,13 +787,13 @@ tgs_make_reply(krb5_context context,
#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
- ret = fix_transited_encoding(context, config,
- !f.disable_transited_check ||
+ ret = fix_transited_encoding(context, config, 0,
+ /*!f.disable_transited_check ||
GLOBAL_FORCE_TRANSITED_CHECK ||
PRINCIPAL_FORCE_TRANSITED_CHECK(server) ||
!((GLOBAL_ALLOW_PER_PRINCIPAL &&
PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(server)) ||
- GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
+ GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),*/
&tgt->transited, &et,
krb5_principal_get_realm(context, client_principal),
krb5_principal_get_realm(context, server->entry.principal),
@@ -1280,6 +1280,8 @@ tgs_parse_request(krb5_context context,
else
verify_ap_req_flags = 0;
+ verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_NO_TRANSIT_CHECK;
+
ret = krb5_verify_ap_req2(context,
&ac,
&ap_req,
--
2.14.3
More information about the samba-technical
mailing list