PAC Ticket signature in Heimdal

Isaac Boukris iboukris at samba.org
Sun Jul 11 13:20:55 UTC 2021


Hi Metze,

> > We most likely also need to change some apis in order to generate
PAC Ticket checksums
> > (Wireshark support is being added by Isaac and me, see
https://gitlab.com/wireshark/wireshark/-/merge_requests/3570)
> > and also for compound identity PACs when offering FAST.
> > "wip: rework PAC and AD-SIGNTICKET for S4U2Proxy support"
> > https://github.com/heimdal/heimdal/pull/767
> > might also be related here.
>
> I took a look at PR 767 (which is related to bug 14642), I managed to
> get a poc working, that is the kdc is now able to issue a minimal PAC
> with all signatures even without hdb support, this would allow the
> removal of KRB5SignedPath while keeping S4U2Proxy and its upstream
> test working (we don't need delegation-info for that, and we can live
> on the NDR boundary), I've updated the PR.


Looking at '_kdc_pac_verify' (aka 'samba_wdc_reget_pac'), which is
called after the kdc checked the server signature, I think it currently
does three things, first it checks if the krbtgt is in db to know
whether we can check the kdc signature, if so it then (second) fetches
the right key by the checksum-type to check the signature, and then
(third) it update PAC buffers  such as logon-info and delegation-info
(at which point the server signature can no longer be verified..).

I wonder if we can implement one and two in the KDC and change
'_kdc_pac_verify' to something like '_kdc_update_pac', see the PR
changes how I'm trying to implement it.
For one, that is checking if a kdc from our realm issued the ticket, I
compare the header realm with the requested server realm, and given
samba should virtually always canonicalize the realm, I think this
check is good enough (this is similar to what we did in MIT with
KRB5_KDB_FLAG_CROSS_REALM), and I think this test helps my case:
https://gitlab.com/samba-team/devel/samba/-/commits/iboukris_test_cross_realm_logic

Implementing two is simple enough, we fetch the right krbtgt key by the
checksum type, like samba does (note that this doesn't solve the kvno
problem..).

Do you think this can work? Any further thoughts on this matter?

Thanks!




More information about the samba-technical mailing list