diff options
author | Alexander Bokovoy <ab@samba.org> | 2018-02-16 18:15:28 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-09-05 15:40:53 +0200 |
commit | c53bf98a629dfa1592aa12cca8166201c872f0db (patch) | |
tree | c6b959e261bb4ec038cba11ae09807223ab8e9bd /lib/krb5_wrap | |
parent | 3dba82d3e631c55b71fdfb8bc278d1dfa697a49b (diff) | |
download | samba-c53bf98a629dfa1592aa12cca8166201c872f0db.tar.gz |
krb5-samba: interdomain trust uses different salt principal
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)
The salt principal for the BLA$ user object was generated wrong.
dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA
dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000
The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.
While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144
(cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-9-test): Wed Sep 5 15:40:53 CEST 2018 on sn-devel-144
Diffstat (limited to 'lib/krb5_wrap')
-rw-r--r-- | lib/krb5_wrap/krb5_samba.c | 61 | ||||
-rw-r--r-- | lib/krb5_wrap/krb5_samba.h | 2 |
2 files changed, 46 insertions, 17 deletions
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 7e90913beb0..a6ff97640ca 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -24,6 +24,7 @@ #include "system/filesys.h" #include "krb5_samba.h" #include "lib/crypto/crypto.h" +#include "../libds/common/flags.h" #ifdef HAVE_COM_ERR_H #include <com_err.h> @@ -445,8 +446,7 @@ int smb_krb5_get_pw_salt(krb5_context context, * @param[in] userPrincipalName The userPrincipalName attribute of the object * or NULL is not available. * - * @param[in] is_computer The indication of the object includes - * objectClass=computer. + * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl field * * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal. * @@ -459,7 +459,7 @@ int smb_krb5_get_pw_salt(krb5_context context, int smb_krb5_salt_principal(const char *realm, const char *sAMAccountName, const char *userPrincipalName, - bool is_computer, + uint32_t uac_flags, TALLOC_CTX *mem_ctx, char **_salt_principal) { @@ -480,6 +480,23 @@ int smb_krb5_salt_principal(const char *realm, return EINVAL; } + if (uac_flags & ~UF_ACCOUNT_TYPE_MASK) { + /* + * catch callers which still + * pass 'true'. + */ + TALLOC_FREE(frame); + return EINVAL; + } + if (uac_flags == 0) { + /* + * catch callers which still + * pass 'false'. + */ + TALLOC_FREE(frame); + return EINVAL; + } + upper_realm = strupper_talloc(frame, realm); if (upper_realm == NULL) { TALLOC_FREE(frame); @@ -493,7 +510,7 @@ int smb_krb5_salt_principal(const char *realm, /* * Determine a salting principal */ - if (is_computer) { + if (uac_flags & UF_TRUST_ACCOUNT_MASK) { int computer_len = 0; char *tmp = NULL; @@ -502,20 +519,32 @@ int smb_krb5_salt_principal(const char *realm, computer_len -= 1; } - tmp = talloc_asprintf(frame, "host/%*.*s.%s", - computer_len, computer_len, - sAMAccountName, realm); - if (tmp == NULL) { - TALLOC_FREE(frame); - return ENOMEM; - } + if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) { + principal = talloc_asprintf(frame, "krbtgt/%*.*s", + computer_len, computer_len, + sAMAccountName); + if (principal == NULL) { + TALLOC_FREE(frame); + return ENOMEM; + } + } else { - principal = strlower_talloc(frame, tmp); - TALLOC_FREE(tmp); - if (principal == NULL) { - TALLOC_FREE(frame); - return ENOMEM; + tmp = talloc_asprintf(frame, "host/%*.*s.%s", + computer_len, computer_len, + sAMAccountName, realm); + if (tmp == NULL) { + TALLOC_FREE(frame); + return ENOMEM; + } + + principal = strlower_talloc(frame, tmp); + TALLOC_FREE(tmp); + if (principal == NULL) { + TALLOC_FREE(frame); + return ENOMEM; + } } + principal_len = strlen(principal); } else if (userPrincipalName != NULL) { diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index 315d3c3492e..8305c1f77af 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -353,7 +353,7 @@ int smb_krb5_get_pw_salt(krb5_context context, int smb_krb5_salt_principal(const char *realm, const char *sAMAccountName, const char *userPrincipalName, - bool is_computer, + uint32_t uac_flags, TALLOC_CTX *mem_ctx, char **_salt_principal); int smb_krb5_salt_principal2data(krb5_context context, |