summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
Commit message (Collapse)AuthorAgeFilesLines
* HEIMDAL: move code from source4/heimdal* to third_party/heimdal*Stefan Metzmacher2022-01-1965-29034/+0
| | | | | | | | | | | This makes it clearer that we always want to do heimdal changes via the lorikeet-heimdal repository. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Joseph Sutton <jsutton@samba.org> Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
* s4:heimdal: import lorikeet-heimdal-202201172009 (commit ↵Stefan Metzmacher2022-01-1964-2653/+21832
| | | | | | | | | | | | | | | | 5a0b45cd723628b3690ea848548b05771c40f14e) See https://git.samba.org/?p=lorikeet-heimdal.git;a=shortlog;h=refs/heads/lorikeet-heimdal-202201172009 or https://gitlab.com/samba-team/devel/lorikeet-heimdal/-/tree/lorikeet-heimdal-202201172009 NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticketJoseph Sutton2021-11-304-4/+8
| | | | | | | | | Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but when generating a service ticket for S4U2Self, we want to avoid adding the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: Always generate a PAC for S4U2SelfJoseph Sutton2021-11-301-6/+7
| | | | | | | | | | If we decided not to put a PAC into the ticket, mspac would be NULL here, and the resulting ticket would not contain a PAC. This could happen if there was a request to omit the PAC or the service did not require authorization data. Ensure that we always generate a PAC. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: Adjust no-PAC error code to match WindowsJoseph Sutton2021-11-301-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: Fix error message for user-to-userJoseph Sutton2021-11-301-1/+1
| | | | | | | We were checking the wrong variable to see whether a PAC was found or not. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Require PAC to be presentJoseph Sutton2021-11-091-1/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user ↵Joseph Sutton2021-11-091-5/+28
| | | | | | | | | authentication BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Check name in request against name in ↵Joseph Sutton2021-11-091-1/+55
| | | | | | | | | user-to-user TGT BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user ↵Joseph Sutton2021-11-091-58/+55
| | | | | | | | | TGT client name BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype ↵Joseph Sutton2021-11-091-35/+35
| | | | | | | | | | | selection This allows us to use it when validating user-to-user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 heimdal:kdc: Check return codeJoseph Sutton2021-11-091-1/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self checkAndrew Bartlett2021-11-091-8/+18
| | | | | | | | | | | | | | | | | | | Looking up the DB twice is subject to a race and is a poor use of resources, so instead just pass in the record we already got when trying to confirm that the server in S4U2Self is the same as the requesting client. The client record has already been bound to the the original client by the SID check in the PAC. Likewise by looking up server only once we ensure that the keys looked up originally are in the record we confirm the SID for here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC bufferJoseph Sutton2021-11-094-10/+24
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* HEIMDAL:kdc: Fix transit path validation CVE-2017-6594Viktor Dukhovni2021-10-201-3/+10
| | | | | | | | | | | | | | | | | | | | | Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. (similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998 Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
* heimdal:kdc: Fix ticket signing without a PACJoseph Sutton2021-10-171-2/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: correctly generate PAC TGS signatureLuke Howard2021-10-141-1/+48
| | | | | | | | | | | | | | | | | | | | When generating an AS-REQ, the TGS signature was incorrectly generated using the server key, which would fail to validate if the server was not also the TGS. Fix this. Patch from Isaac Bourkis <iboukris@gmail.com>. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsutton@samba.org Backported from Heimdal commit e7863e2af922809dad25a2e948e98c408944d551 - Samba's Heimdal version does not have the generate_pac() helper function. - Samba's Heimdal version does not use the 'r' context variable. ] Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: use ticket client name when signing PACLuke Howard2021-10-141-1/+11
| | | | | | | | | | | | | | | | | The principal in the PAC_LOGON_NAME buffer is expected to match the client name in the ticket. Previously we were setting this to the canonical client name, which would have broken PAC validation if the client did not request name canonicalization BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsutton@samba.org Backported from Heimdal commit 3b0856cab2b25624deb1f6e0e67637ba96a647ac - Renamed variable to avoid shadowing existing variable ] Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: only set HDB_F_GET_KRBTGT when requesting TGS principalLuke Howard2021-10-141-1/+4
| | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsutton@samba.org Backported from Heimdal commit f1dd2b818aa0866960945edea02a6bc782ed697c - Removed change to _kdc_find_etype() use_strongest_session_key parameter since Samba's Heimdal version uses different logic ] Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5: allow NULL parameter to krb5_pac_free()Isaac Boukris2021-10-141-2/+1
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsutton@samba.org Cherry-picked from Heimdal commit b295167208a96e68515902138f6ce93972892ec5] Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: sign ticket using Windows PACIsaac Boukris2021-10-144-239/+204
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Split Windows PAC signing and verification logic, as the signing has to be when the ticket is ready. Create sign and verify the PAC KDC signature if the plugin did not, allowing for S4U2Proxy to work, instead of KRB5SignedPath. Use the header key to verify PAC server signature, as the same key used to encrypt/decrypt the ticket should be used for PAC server signature, like U2U tickets are signed witht the tgt session-key and not with the longterm key, and so krbtgt should be no different and the header key should be used. Lookup the delegated client in DB instead of passing the delegator DB entry. Add PAC ticket-signatures and related functions. Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests against new KDC will not work if the evidence ticket was acquired from an old KDC, and vide versa. Closes: #767 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsutton@samba.org Backported from Heimdal commit 2ffaba9401d19c718764d4bd24180960290238e9 - Removed tests - Adapted to Samba's version of Heimdal - Addressed build failures with -O3 - Added knownfails ] Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: remove KRB5SignedPath, to be replaced with PACIsaac Boukris2021-10-142-309/+0
| | | | | | | | | | | | | | | | | | | | | KRB5SignedPath was a Heimdal-specific authorization data element used to protect the authenticity of evidence tickets when used in constrained delegation (without a Windows PAC). Remove this, to be replaced with the Windows PAC which itself now supports signing the entire ticket in the TGS key. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsutton@samba.org Backported from Heimdal commit bb1d8f2a8c2545bccdf2c9179ce9259bf1050086 - Removed tests - Removed auditing hook (only present in Heimdal master) - Added knownfails ] Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: Only check for default salt for des-cbc-crc enctypeJoseph Sutton2021-10-141-1/+2
| | | | | | | | | | | | | | Previously, this algorithm was preferring RC4 over AES for machine accounts in the preauth case. This is because AES keys for machine accounts in Active Directory use a non-default salt, while RC4 keys do not use a salt. To avoid this behaviour, only prefer keys with default salt for the des-cbc-crc enctype. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing fieldLuke Howard2021-09-021-2/+2
| | | | | | | | | | | | If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour. [abartlet@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd and knownfail added] BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQLuke Howard2021-09-021-0/+4
| | | | | | | | | | | | | | In tgs_build_reply(), validate the server name in the TGS-REQ is present before dereferencing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 [abartlet@samba.org backported from from Heimdal commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference to an earlier patch by Joseph Sutton] RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ Reviewed-by: Andreas Schneider <asn@samba.org>
* heimdal: apply disallow-forwardable on server in TGS requestIsaac Boukris2020-06-121-0/+6
| | | | | | | | | | upstream commit: 839b073facd2aecda6740224d73e560bc79965dc BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: allow checksum of PA-FOR-USER to be HMAC_MD5Isaac Boukris2020-06-111-6/+23
| | | | | | | | | | | | | | | | | | | | | even if the tgt session key uses different hmac. Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always HMAC_MD5, and that's what windows 7 client and MIT client send. In heimdal both the client and kdc use the checksum of the tgt key instead and therefore work with each other but windows and MIT clients fail against heimdal KDC. Windows KDC allows either checksum (HMAC_MD5 or from tgt) so we should do the same to support all clients. Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jun 11 02:48:58 UTC 2020 on sn-devel-184
* CVE-2019-14870: heimdal: enforce delegation_not_allowed in S4U2SelfIsaac Boukris2019-12-101-22/+36
| | | | Signed-off-by: Isaac Boukris <iboukris@gmail.com>
* CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksumIsaac Boukris2019-05-141-0/+7
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Tue May 14 11:45:13 UTC 2019 on sn-devel-184
* heimdal: Change KDC to respect HDB server name type if f.canonicalize is setAndrew Bartlett2018-09-051-2/+5
| | | | | | | | This changes behaviour flagged as being for Java 1.6. My hope is that this does not set f.canonicalize Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* Revert "s4/heimdal: allow SPNs in AS-REQ"Andrew Bartlett2018-09-051-3/+3
| | | | | | | | | This reverts commit 20dc68050df7b1b0c9d06f8251183a0a6283fcaf. Tests (the krb5.kdc testsuite) show this behaviour is incorrect. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: For NTLM and KDC authentication, log the authentication durationAndrew Bartlett2018-06-251-0/+5
| | | | | | | | | | | | | | This is not a general purpose profiling solution, but these JSON logs are already being generated and stored, so this is worth adding. Some administrators are very keen to know how long authentication takes, particularly due to long replication transactions in other processes. This complements a similar patch set to log the transaction duration. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* HEIMDAL:kdc: fix dh->q allocation check in get_dh_param()Stefan Metzmacher2017-12-061-1/+1
| | | | | | | | | | Thanks to Doug Nazar <nazard@nazar.ca> for spotting this! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from heimdal commit a79b59ba27070a015479e8d981b7e685dbe34310) Reviewed-by: Andreas Schneider <asn@samba.org>
* HEIMDAL: don't bother seeing q if not sentLove Hornquist Astrand2017-08-281-3/+6
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from heimdal commit 19f9fdbcea11013cf13ac72c416f161ee55dee2b) Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Aug 28 15:10:54 CEST 2017 on sn-devel-144
* HEIMDAL: allow optional q in DH DomainParametersLove Hornquist Astrand2017-08-281-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from heimdal commit e8317b955f5a390c4f296871ba6987ad05478c95)
* heimdal: Pass extra information to hdb_auth_status() to log success and failuresAndrew Bartlett2017-03-291-4/+35
| | | | | | | | | | We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Add initializer for stack pointersAndrew Bartlett2017-03-271-2/+2
| | | | | | | This helps ensure we know these are NULL until set Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* HEIMDAL:kdc: make it possible to disable the principal based referral detectionStefan Metzmacher2017-03-103-1/+6
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hookStefan Metzmacher2016-07-224-4/+22
| | | | | | | | | | | This allows PAC_CRENDENTIAL_INFO to be added to the PAC when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains an encrypted PAC_CRENDENTIAL_DATA. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* HEIMDAL:kdc: reset e_text after successful pre-auth verificationStefan Metzmacher2016-07-221-0/+2
| | | | | | | | | This is already fixed in upstream heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kerberos: Return enc data on PREAUTH_FAILEDGarming Sam2016-07-051-79/+99
| | | | | | | | | | | | Without the enc data, Windows clients will perform two AS-REQ causing the password lockout count to increase by two instead of one. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539 Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Jul 5 10:52:32 CEST 2016 on sn-devel-144
* heimdal make kvno unisgned internallyUri Simchoni2016-05-242-3/+16
| | | | | | | | | | | | | | | The folks at heimdal didn't like the patch in commit 6379737b7ddc6ccb752238c5820cc62e76a8da17 and insisted that kvno should remain unsigned internally, even though it is encoded as signed in packets. This patch reverts some of the unsigned->signed changes in that commit, and resolves conversion issues - in order to be aligned with upstream Heimdal. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144
* heimdal: encode/decode kvno as signed integerUri Simchoni2016-05-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch changes the encoding/decoding of kvno (key version number) in blobs and packets to signed integer, for compatibility with Windows. Reportedly, MIT Kerberos does the same. This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599 in the heimdal tree. According to the Kerberos spec (RFC 4120 5.2.9), the kvno field in encrypted data object is an unsigned integer that fits in 32 bits. The Heimdal Kerberos component bundled with Samba conforms to this. However, Windows deviates from the standard and encodes kvno as a signed integer, and this creates interoperability issues. ASN.1 DER has no special encoding for unsigned integer. A 32-bit unsigned integer is encoded as a signed integer, so while a signed 32-bit integer (covering the range of -0x80000000..0x7fffffff) is encoded using up to 4 bytes, an unsigned integer (covering 0..0xffffffff) could require 5 bytes. Normally, kvno for a given account starts at 1 and increments on password changes. Kerberos defined this as unsigned because there's no meaning for negative version numbers, so the standard writers figured 4 billion versions is better than 2 billion. It was not expected for a kvno to really go past 0x7fffffff and the disctinction usually does not matter. However, RODCs use kvnos which have the most-significant bit set. In Active Directory, RODCs have a private secret for the krbtgt, because the assumption is that the RODC is less secure, and recovering the domain krbtgt secret from the RODC would compromise the security of the entire domain. The kvno field is being used to identify the private krbtgt account that owns the key - the upper 16 bits are the RODC id, and the lower 16 bits identify the key version number for this specific RODC. It's common to have an RODC id greater than 0x8000, and therefore to have a kvno larger than 0x7fffffff, which would be DER-encoded using 5 bytes. Windows encodes kvno as signed integer - basically taking the 32 bits and treating them as a signed integer rather than an unsigned integer. This means that in Windows a kvno can always be encoded using 4 bytes, and Windows DCs reject a kvno encoded using more than 4 bytes without even generating an error response (the DC assumes it's an attack). Heimdal re-encodes the TGT when it creates a TGS request. Obviously it cannot decode and encode the encrypted parts but it does re-encode the plain parts, which include the kvno. That leads to a 5-byte kvno in the TGS request, which is rejected without an error response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Sat May 7 21:14:21 CEST 2016 on sn-devel-144
* s4/heimdal: allow SPNs in AS-REQRalph Boehme2016-04-251-3/+3
| | | | | | | | This allows testing keytabs with service tickets. Windows KDCs allow this as well. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* heimdal:kdc: add support for HDB_ERR_WRONG_REALMStefan Metzmacher2015-07-083-1/+58
| | | | | | | | | | | | | A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ. entry_ex->entry.principal->realm needs to return the real realm of the principal (or at least a the realm of the next cross-realm trust hop). This is needed to route enterprise principals between AD domain trusts. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: generic support for 3part servicePrincipalNamesStefan Metzmacher2015-07-081-3/+2
| | | | | | | This is not DRSUAPI specific, it works for all 3 part principals. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handlingStefan Metzmacher2015-03-121-52/+0
| | | | | | | | | | | This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt and the final rfc6806.txt. The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not ↵Andrew Bartlett2015-01-231-4/+19
| | | | | | | | | | | overwritten This change ensures that our RODC will correctly proxy when asked to provide a ticket for a service or user where the keys are not on this RODC. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Really bug in KDC handling of enterprise princsNicolas Williams2015-01-231-3/+2
| | | | | | | | | | | | | | | The value of this commit to Samba is to continue to match Heimdal's upstream code in this area. Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL there is no runtime difference. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Fix bug in KDC handling of enterprise principalsNicolas Williams2015-01-231-35/+38
| | | | | | | | | | | | | | The useful change in Samba from this commit is that we gain validation of the enterprise principal name. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status