Kerberos Constrained Delegation in libsmbclient

Alexander Bokovoy ab at samba.org
Tue Mar 2 16:34:23 UTC 2021


(resending to the list as Vikram responded personally and this is really
a public service).

On ti, 02 maalis 2021, Vikram Bharti wrote:
> Can you explain to me the input supplied to the FreeIPA? Ideally, the
> credential API should take the service credential (service user, and
> password) and the user principal name ( For whom the user level
> impersonation should be done ) and provide the appropriate token. Which
> can  allow the user to access SMB shares

Typically, you have an application that accepts incoming connection
authenticated with GSSAPI and then performs own backend operation
authenticated by GSSAPI on behalf of the user. It is mostly transparent
to the application -- in case of FreeIPA we rely on both Samba and
CyrusSASL doing their job as we talk to smbd and to LDAP server from a
wsgi application.

I have an older blog about it for FreeIPA which describes how another
application can achieve that:
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/

Since this blog was published, FreeIPA tools gained ability to operate
delegation targets ('ipa help servicedelegation'), so configuring became
easier. We also moved to mod_auth_gssapi, so for Apache configuration
would look differently.

Anyway, I hacked up a small WSI program that runs 

 smbclient -k -L <hostname>

on IPA master, reusing existing delegation configuration for
HTTP/master.ipa.test to delegate to cifs/master.ipa.test. When accessed
with Kerberos authentication, this program just works and generates
expected output. Since it is running under unprivileged user, it has no
permissions to write to /var/lib/samba and to /, so errors for those are
expected.

 ipa: DEBUG: WSGI wsgi_dispatch.__call__:
 ipa: DEBUG: WSGI jsonserver.__call__:
 ipa: DEBUG: KerberosWSGIExecutioner.__call__:
 ipa: DEBUG: Created connection context.ldap2_139985529006512
 ipa: DEBUG: WSGI WSGIExecutioner.__call__:
 ipa: DEBUG: Starting external process
 ipa: DEBUG: args=['/usr/bin/smbclient', '-k', '-L', 'master.ipa.test']
 ipa: DEBUG: Process finished, return code=0
 ipa: DEBUG: stdout=
 \tSharename       Type      Comment
 \t---------       ----      -------
 \tIPC$            IPC       IPC Service (Samba 4.13.3)
 SMB1 disabled -- no workgroup available
 
 ipa: DEBUG: stderr=regdb_init: Failed to open registry /var/lib/samba/registry.tdb (Permission denied)
 Failed to initialize the registry: WERR_ACCESS_DENIED
 error initializing registry configuration: SBC_ERR_BADFILE
 /usr/bin/smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
 gencache_init: Failed to create directory: //.cache/samba - No such file or directory
 gencache_init: Failed to create directory: //.cache/samba - No such file or directory
 gencache_init: Failed to create directory: //.cache/samba - No such file or directory
 
 ipa: DEBUG: Destroyed connection context.ldap2_139985529006512


In samba logs for this connection I can see that smbclient authenticated
to smbd with Kerberos and that PAC content includes delegated
credentials:

[2021/03/02 11:23:55.626509,  3, pid=15285, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:415(kerberos_decode_pac)
  Found account name from PAC: admin [Administrator]
[2021/03/02 11:23:55.626537, 10, pid=15285, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:417(kerberos_decode_pac)
  Successfully validated Kerberos PAC
      pac_data: struct PAC_DATA
      [ ...... ]
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_UPN_DNS_INFO (12)
                  _ndr_size                : 0x00000040 (64)
                  info                     : *
                      info                     : union PAC_INFO(case 12)
                      upn_dns_info: struct PAC_UPN_DNS_INFO
                          upn_name_size            : 0x001c (28)
                          upn_name                 : *
                              upn_name                 : 'admin at IPA.TEST'
                          dns_domain_name_size     : 0x0010 (16)
                          dns_domain_name          : *
                              dns_domain_name          : 'IPA.TEST'
                          flags                    : 0x00000001 (1)
                                 1: PAC_UPN_DNS_FLAG_CONSTRUCTED
                  _pad                     : 0x00000000 (0)
              buffers: struct PAC_BUFFER
                  type                     : PAC_TYPE_CONSTRAINED_DELEGATION (11)
                  _ndr_size                : 0x000000c0 (192)
                  info                     : *
                      info                     : union PAC_INFO(case 11)
                      constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR
                          info                     : *
                              info: struct PAC_CONSTRAINED_DELEGATION
                                  proxy_target: struct lsa_String
                                      length                   : 0x003a (58)
                                      size                     : 0x003a (58)
                                      string                   : *
                                          string                   : 'HTTP/master.ipa.test at IPA.TEST'
                                  num_transited_services   : 0x00000001 (1)
                                  transited_services       : *
                                      transited_services: ARRAY(1)
                                          transited_services: struct lsa_String
                                              length                   : 0x003a (58)
                                              size                     : 0x003a (58)
                                              string                   : *
                                                  string                   : 'cifs/master.ipa.test at IPA.TEST'
                  _pad                     : 0x00000000 (0)


In short, I do not see any need to add something to libsmbclient to
enable constrained delegation. When you have properly set up
environment, it will just work correctly.

A properly set up environment includes:

- an application that accepts authenticated GSSAPI connections and has
  own Kerberos credentials available (in a keytab, for example)

- constrained delegation configuration is enabled for this application's
  Kerberos service by the KDC


> 
> On Tue, Mar 2, 2021 at 6:24 PM Alexander Bokovoy <ab at samba.org> wrote:
> 
> > On ti, 02 maalis 2021, Vikram Bharti via samba-technical wrote:
> > > Any further help would be appreciated.
> >
> > As far as I can see, libsmbclient internally uses credentials API which
> > means it already should support constraint delegation.
> >
> > I am not using libsmbclient for this use case myself but in FreeIPA we
> > are relying on Samba Python bindings for constraint delegation-based
> > access to LSA RPC and we have no problem with credentials API.
> >
> >
> > >
> > > On Thu, Feb 25, 2021 at 5:28 PM Vikram Bharti <vikrambharti33 at gmail.com>
> > > wrote:
> > >
> > > > IMO KCD can take service user, password/keytab-file, UPN of
> > impersonation
> > > > user, and SPN of service as inputs  (probably in auth_callback)
> > > > or it can take final service ticket (TGS-REP) as input in
> > auth_callback.
> > > > Not so sure what should be right the way but I leave it up to you
> > decide if
> > > > these 2 are feasible or if there is a better way.
> > > >
> > > >
> > > >
> > > > On Thu, Feb 25, 2021 at 12:00 AM Jeremy Allison <jra at samba.org> wrote:
> > > >
> > > >> On Wed, Feb 24, 2021 at 05:29:37PM +0530, Vikram Bharti via
> > > >> samba-technical wrote:
> > > >> >Hi ,
> > > >> >
> > > >> >I was exploring a way to get KCD work with libsmbclient APIs and i
> > see
> > > >> >libsmbclient supports Kerberos auth but can't find any API for
> > > >> >impersonation and delegation.
> > > >> >Pls let me know if there is a way to get it done.
> > > >>
> > > >> No, this is not currently available in the libsmbclient API's.
> > > >>
> > > >> Can you give an example of what you'd like this to look like,
> > > >> so we can assess how hard it would be to implement ?
> > > >>
> > > >
> >
> > --
> > / Alexander Bokovoy
> >


-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list