diff options
| author | Andreas Schneider <asn@samba.org> | 2022-01-13 08:43:23 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2022-03-04 14:58:20 +0000 |
| commit | e25d6c89bef298ac8cd8c2fb7b49f6cbd4e05ba5 (patch) | |
| tree | 9d27ec34c6fc8bb6c7d05b5521b39e089dd48efb /WHATSNEW.txt | |
| parent | d1d47a5544998fa1bfe4ef20270d0cb35bb8adef (diff) | |
| download | samba-e25d6c89bef298ac8cd8c2fb7b49f6cbd4e05ba5.tar.gz | |
WHATSNEW: Bronze bit, S4U and RBDC support with MIT Kerberos 1.20
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 4 14:58:20 UTC 2022 on sn-devel-184
Diffstat (limited to 'WHATSNEW.txt')
| -rw-r--r-- | WHATSNEW.txt | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6c7ab0407c8..9e36b20a39a 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -16,6 +16,38 @@ UPGRADING NEW FEATURES/CHANGES ==================== +Bronze bit and S4U support with MIT Kerberos 1.20 +------------------------------------------------- + +In 2020 Microsoft Security Response Team received another Kerberos-related +report. Eventually, that led to a security update of the CVE-2020-17049, +Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze +Bit’. With this vulnerability, a compromised service that is configured to use +Kerberos constrained delegation feature could tamper with a service ticket that +is not valid for delegation to force the KDC to accept it. + +With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the +‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was +changed to allow passing more details between KDC and KDB components. When built +against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions +but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. + +In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports +S4U2Self and S4U2Proxy Kerberos extensions. + +Resource Based Constrained Delegation (RBCD) support +---------------------------------------------------- + +Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT +Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. +Note that samba-tool lacks support for setting this up yet! + +To complete RBCD support and make it useful to Administrators we added the +Asserted Identity [1] SID into the PAC for constrained delegation. This is +available for Samba AD compiled with MIT Kerberos 1.20. + +[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview + REMOVED FEATURES ================ |