A question about S4U2Self with MIT KDC
asn at samba.org
Wed Feb 6 11:49:16 UTC 2019
On Wednesday, February 6, 2019 10:21:59 AM CET Isaac Boukris via samba-
> Hi team,
> Given the cross-realm S4U2Self patches have landed upstream mit-krb5
> (see PR #853), I'd like to work on Samba side as well. However I've
> been struggling with the following question (which applies to in-realm
> as well); when processing a S4U2Self TGS-REQ is it required to verify
> the of the PAC in the TGT or can it be ignored?
> Technically, we should be able to verify it (we have both krbtgt and
> server key, or at least the server key in case of cross-realm), and
> Heimdal indeed does that. But the sign_authdata() plugin method in
> MIT, currently does not provide us with the tgt-client principal name
> to match against the PAC (but only with the impersonate principal to
> construct a new PAC).
thank you very much for working on this and welcome to the wonderful world of
MIT Kerberos development!
Yes we should verify it as Heimdal does. For that you need to extend the KDB
plugin API from MIT Kerberos to pass down the required tgt-client principal
Here is an example:
> For in-realm requests we could workaround this by matching against
> 'server->princ' since it is the same principal (assuming the PAC was
> signed using the canonical name) but in cross realm this isn't the
> case, so we may need a new API to be able to verify the PAC.
See above :-)
> I've raised this question back then on krbdev (referenced in
> aforementioned PR) and we couldn't think of a sensible reason why we'd
> need to verify the PAC. However it seems that Windows KDC requires
> that the TGT does include a PAC, since the following command yields
> $ echo -n pwd | kinit apache at ACME.COM --no-request-pac && kvno
> -Uuser at abc@ACME.COM apache at ACME.COM
> This does not prove that it actually verifies the PAC but does imply
> that. I tried to prove it further by trying to join a Samba DC to a
> Windows domain in order to forge a TGT with a PAC using a wrong
> principal and signatures, but so far I have not succeeded joining as a
> DC to a Windows domain. I'm getting WERR_DS_NO_CROSSREF_FOR_NC error
> against w2k8 and w2k16 - any help on this will be appreciated as well.
Maybe metze can help here. He implemented support for it iirc.
> See attached initial patch for in-realm S4U2Self with MIT KDC (it does
> not currently verify the TGT PAC, but simply discards it).
Looking at the patch. We need more code comments. I'm sorry that we did not do
that since the beginning but it is never to late to start with them :-)
Andreas Schneider asn at samba.org
Samba Team www.samba.org
More information about the samba-technical