Samba KDC support for key-based trusts and strong and weak mappings (+ further kerberos hardening)

Alexander Bokovoy ab at samba.org
Wed May 28 06:24:10 UTC 2025


On Срд, 28 мая 2025, Douglas Bagnall via samba-technical wrote:
> hi all,
> 
> We at Catalyst are likely to be working on features that allow tight
> mappings between AD users and certificates. This is getting towards
> "Windows Hello for Business" support, which essentially uses your laptop
> as a hardware security token.
> 
> The msDS-KeyCredentialLink attribute in the AD database indicates
> eligible certificates, while a "SID extension" in a certificate
> indicates the user the certificate expects. We are going to work on those.

Sounds good, thank you for starting this work!

> Another thing we are going to implement are the strong and weak mappings
> using altSecurityIdentities to address the "Certifried" exploit. This
> will matter a lot more for Samba once people start using certificates.
> 
> Also we want to add options to tighten up Kerberos security beyond that
> of Microsoft AD. These are ideas that arose from the CVE cluster known
> as "Andrew's Kerberos Concerns". We want to be able to force the PAC to
> be sent to the target service, and to check the canonicalised usernames
> against cnames. Optionally forcing the PAC will require upstream
> Kerberos changes, so we'll need to see about that.

This is something I have been looking at recently as well. One thing is
that traditionally in the Kerberos protocol these decisions were
deferred to the application servers instead of KDC. It is possible to
achieve this by the application server making a choice to look up a
presence of the PAC buffers and at least for GSSAPI it is made
relatively easy. However, we come more and more to the point where these
kind of decisions are better to be enforced centrally.

I've discussed this with MIT Kerberos maintainers recently and I think
we can start by making it possible to force KDC to reject non-PAC
requests completely.

-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list