Cross realm S4U2Self cont.

Isaac Boukris iboukris at
Tue Jul 24 12:15:56 UTC 2018


Recently, I had some time to hack on this so I cleaned up the s4u2self
heimdal client fix which I mentioned some while ago, and opened a PR
to heimdal upstream (see: #389).
I soon realized however, that it cannot be easily tested upstream
since without proper hdb plugin to check s4u and pac the kdc would
give any ticket to self and there is no need for referrals.

When I tried to test it within samba, which does have these plugin
checks, I found some issues with the kdc processing which caused it to
fail, both samba to AD trust and vice versa.
The main issue is the PAC_CLIENT_INFO field which according to MS-SFU
3.2.5.x is different in referral ticket as it includes the domain as
user at domain, so we need to calculate it before signing and also make
sure we use the correct PAC and cname/crealm (only the final one bears
the name of the impersonated user).
Note that this signing issue is only relevant for kdc, since the
service only sees the final PAC.

I made a prove-of-concept patch for these issues, including a test
using net-kerberos-pac-dump command, see (works against AD trust both
ways and between samba DCs):

To solve the pac signing issue with full name I used enterprise name
as a trick so it'll end up fully parsed, but perhaps we need an
alternative krb5_pac_verify_ref() instead.
I currently also skip 'check_s4u2self' and delegation checks since we
don't have ta db handle locally for the service, assuming their kdc
would check that, but I am not sure that's ok.

Currently some tests are failing, namely ones related to s4u,
enterprise names, canonicalize and so on, and I'm trying to work
around some of them by falling back to old behavior for cases where we
as a service wrongly assume the user isn't in our realm due to naming
differences (netbios, upn).
A better fix would be to implement "Using the User's Realm and User
Name to Identify the User" section from MS-SFU by sending
AS request and chasing client referrals to find user's actual realm,
but meanwhile falling back to requesting from own kdc might save some

Any thoughts on the above? Apart of these issues, are there any missing parts?
Feedback welcome :)


More information about the samba-technical mailing list