diff options
author | Alexander Bokovoy <ab@samba.org> | 2018-02-16 18:15:28 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2018-09-05 18:32:04 +0200 |
commit | 3ea96a259258e286284c65e840148b6a7d57a5a8 (patch) | |
tree | 93c15647706d84ab59d24ff5f21a151b18cb9c4a /source4/dsdb | |
parent | d726535d61c6c8ac52e387d500841d6bf967186d (diff) | |
download | samba-3ea96a259258e286284c65e840148b6a7d57a5a8.tar.gz |
krb5-samba: interdomain trust uses different salt principal
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)
The salt principal for the BLA$ user object was generated wrong.
dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA
dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000
The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.
While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144
(cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060)
Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-8-test): Wed Sep 5 18:32:05 CEST 2018 on sn-devel-144
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 1ddafb34101..95c1376f26d 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -128,7 +128,6 @@ struct setup_password_fields_io { NTTIME pwdLastSet; const char *sAMAccountName; const char *user_principal_name; - bool is_computer; bool is_krbtgt; uint32_t restrictions; struct dom_sid *account_sid; @@ -676,15 +675,17 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) krb5_data salt; krb5_keyblock key; krb5_data cleartext_data; + uint32_t uac_flags = 0; ldb = ldb_module_get_ctx(io->ac->module); cleartext_data.data = (char *)io->n.cleartext_utf8->data; cleartext_data.length = io->n.cleartext_utf8->length; + uac_flags = io->u.userAccountControl & UF_ACCOUNT_TYPE_MASK; krb5_ret = smb_krb5_salt_principal(io->ac->status->domain_data.realm, io->u.sAMAccountName, io->u.user_principal_name, - io->u.is_computer, + uac_flags, io->ac, &salt_principal); if (krb5_ret) { @@ -3163,7 +3164,6 @@ static int setup_io(struct ph_context *ac, "sAMAccountName", NULL); io->u.user_principal_name = ldb_msg_find_attr_as_string(info_msg, "userPrincipalName", NULL); - io->u.is_computer = ldb_msg_check_string_attribute(info_msg, "objectClass", "computer"); /* Ensure it has an objectSID too */ io->u.account_sid = samdb_result_dom_sid(ac, info_msg, "objectSid"); |