kdc: allow referrals for krbtgt in transitively trusted realm
Stefan Metzmacher
metze at samba.org
Tue Oct 29 14:49:57 UTC 2019
Hi Isaac,
I just found this old thread.
>> However, I think I found another bug in samba KDC with transitive
>> trust, which would cause s4u2self to fail.
>> This bug is not directly related to s4u2self, and can easily be
>> reproduces with MIT's kvno tool against samba KDC (in transitive trust
>> env).
>>
>> In short, the first step in cross-realm s4u2self, is to obtain a
>> krbtgt to client realm, and while samba kdc gives proper referral to
>> intermediate realm when asked for HOST/transitively-trusted-realm, it
>> won't give a referral when asked for
>> krbtgt/transitively-trusted-realm, so the service cannot get started
>> (windows kdc does give referral in that case).
>> I have a POC patch for this bug (which I'm not happy with), but since
>> it's not directly related, I send it with more details in a separate
>> thread.
>
>
> Consider a samba KDC in domain S trusting ad domain A (forest trust),
> who has a child domain C.
> Once I acquire creds in domain S, I run 'kvno HOST/dc-in-domain-C'
> and samba kdc returns tgt-referral to A, which the kvno tool follows
> to ends up getting a service ticket from domain C.
> However, if I run 'kvno krbtgt/C at S' samba kdc returns
> KDC_ERR_S_PRINCIPAL_UNKNOWN (while windows kdc returns a referral in
> such case).
> As mentioned, this is necessary for cross-realm s4u2self.
>
> The attached poc patch solves the bug, but I think not efficient (and
> may leak?). I think what I need is, to find out efficiently in
> samba_kdc_lookup_realm(krbtgt) whether the realm is directly trusted
> in which case return 0, or only transitively trusted and then return
> WRONG_REALM with referral to intermediate realm.
I recently hit the same problem
and created a different fix.
Can you have a look?
It would be good to get this finally fixed.
If you think it's good, I'll extend the commit message
and start a merge request.
Thanks!
metze
-------------- next part --------------
From c9fb15a92193341fbf815d63c74e57f9b2c33f55 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 10 Oct 2019 16:22:35 +0200
Subject: [PATCH] s4:kdc: fix samba_kdc_lookup_realm() with
krbtgt/OTHER.REALM/OUR.REALM
---
source4/kdc/db-glue.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index f62a633c6c78..40c13ec3570d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2122,6 +2122,7 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
unsigned int num_comp;
bool ok;
char *upper = NULL;
+ bool get_krbtgt = false;
num_comp = krb5_princ_size(context, principal);
@@ -2197,11 +2198,11 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
ret = principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME);
if (ret == 0) {
- /*
- * we need to search krbtgt/ locally
- */
- TALLOC_FREE(frame);
- return 0;
+ if (num_comp != 2) {
+ TALLOC_FREE(frame);
+ return SDB_ERR_NOENTRY;
+ }
+ get_krbtgt = true;
}
/*
@@ -2252,6 +2253,25 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
return 0;
}
+ if (get_krbtgt) {
+ ok = strequal(realm, tdo->domain_name.string);
+ if (ok) {
+ /*
+ * This principal has to be local
+ */
+ TALLOC_FREE(frame);
+ return 0;
+ }
+ ok = strequal(realm, tdo->netbios_name.string);
+ if (ok) {
+ /*
+ * This principal has to be local
+ */
+ TALLOC_FREE(frame);
+ return 0;
+ }
+ }
+
if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
/*
* TODO: handle the routing within the forest
--
2.17.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20191029/f10f488b/signature.sig>
More information about the samba-technical
mailing list