From bf79979f847de36db9da9646a396cdfe6b0e1c6f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 11 Oct 2023 15:58:22 +0200 Subject: [PATCH] s4:kdc: fix user2user tgs-requests for normal user accounts User2User tgs requests use the session key of the additional ticket instead of the long term keys based on the password. In addition User2User also asserts that client and server are the same account (cecked based on the sid). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224 --- selftest/knownfail.d/krb5_user2user | 1 - source4/kdc/db-glue.c | 30 +++++++++++++++++++++++++++--- source4/kdc/sdb.h | 4 +++- 3 files changed, 30 insertions(+), 5 deletions(-) delete mode 100644 selftest/knownfail.d/krb5_user2user diff --git a/selftest/knownfail.d/krb5_user2user b/selftest/knownfail.d/krb5_user2user deleted file mode 100644 index 44e2f8d9729..00000000000 --- a/selftest/knownfail.d/krb5_user2user +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 89de751f616..5da274c2a4a 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -626,6 +626,24 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context, } } + if (flags & SDB_F_USER2USER_PRINCIPAL) { + /* + * User2User uses the session key + * from the additional ticket, + * so we just provide random keys + * here in order to make sure + * we never expose the user password + * keys. + */ + ret = samba_kdc_set_random_keys(context, + supported_enctypes, + &entry->keys); + + *supported_enctypes_out = supported_enctypes & ENC_ALL_TYPES; + + goto out; + } + if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) && (userAccountControl & UF_SMARTCARD_REQUIRED)) { ret = samba_kdc_set_random_keys(context, @@ -1099,6 +1117,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, const struct authn_kerberos_client_policy *authn_client_policy = NULL; const struct authn_server_policy *authn_server_policy = NULL; int64_t enforced_tgt_lifetime_raw; + const bool user2user = (flags & SDB_F_USER2USER_PRINCIPAL); *entry = (struct sdb_entry) {}; @@ -1185,12 +1204,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, */ entry->flags.force_canonicalize = true; - /* Windows 2008 seems to enforce this (very sensible) rule by + /* + * Windows 2008 seems to enforce this (very sensible) rule by * default - don't allow offline attacks on a user's password * by asking for a ticket to them as a service (encrypted with - * their probably pathetically insecure password) */ + * their probably pathetically insecure password) + * + * But user2user avoids using the keys bases on the password, + * so we can allow it. + */ - if (entry->flags.server + if (entry->flags.server && !user2user && lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) { if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) { entry->flags.server = 0; diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h index e59d22434fd..d2fb67bd9e7 100644 --- a/source4/kdc/sdb.h +++ b/source4/kdc/sdb.h @@ -120,6 +120,7 @@ struct sdb_entry { #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ #define SDB_F_ARMOR_PRINCIPAL 262144 /* fetch is for the client of an armor ticket */ +#define SDB_F_USER2USER_PRINCIPAL 524288/* fetch is for the server of a user2user tgs-req */ #define SDB_F_HDB_MASK (SDB_F_DECRYPT | \ SDB_F_GET_CLIENT| \ @@ -130,7 +131,8 @@ struct sdb_entry { SDB_F_KVNO_SPECIFIED | \ SDB_F_FOR_AS_REQ | \ SDB_F_FOR_TGS_REQ | \ - SDB_F_ARMOR_PRINCIPAL) + SDB_F_ARMOR_PRINCIPAL| \ + SDB_F_USER2USER_PRINCIPAL) /* This is not supported by HDB */ #define SDB_F_FORCE_CANON 16384 /* force canonicalization */ -- 2.11.4.GIT