oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: Still prefer encryption types with "not default" salts except for des-cbc-crc

Browse Source 
Samba clients are often machine accounts with non-default salts that
will fail if they can't use the AES encryption type they know the KDC
supports.  The problem is that arcfour-hmac-md5 has no salt so was
being used in preference.

Samba started to fail when

kdc_config->preauth_use_strongest_session_key = true;

was forced into the KDC configuration.

The history here is an attempt to avoid Kerberos v4 salts in des-cbc-crc
keys, but this instead broke Samba clients with AES-keys on machine accounts
as these have a non-default salt by default.  These accounts were incorrectly
restricted to arcfour-hmac-md5 and they didn't like that.

A broader fix than Samba commit 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53

REF: https://lists.samba.org/archive/samba/2021-October/237844.html

Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864

Change-Id: Ia8908a5a2eef107e6b133d7f0e4343c1988c18bb
This commit is contained in:
Joseph Sutton
2021-11-16 10:51:06 +13:00
committed by Jeffrey Altman
parent 9fb444983e
commit 9a0372d992
1 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
kdc/kerberos5.c
View File

@@ -119,6 +119,23 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key)
return TRUE; return TRUE;
} }
/*
* Detect if `key' is the using the the precomputed `default_salt'
* (for des-cbc-crc) or any salt otherwise.
*
* This is for avoiding Kerberos v4 (yes really) keys in AS-REQ as
* that salt is strange, and a buggy client will try to use the
* principal as the salt and not the returned value.
*/
static krb5_boolean
is_good_salt_p(const krb5_salt *default_salt, const Key *key)
{
if (key->key.keytype == KRB5_ENCTYPE_DES_CBC_CRC)
return is_default_salt_p(default_salt, key);
return TRUE;
}
krb5_boolean krb5_boolean
_kdc_is_anon_request(const KDC_REQ *req) _kdc_is_anon_request(const KDC_REQ *req)
@@ -277,7 +294,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
enctype = p[i]; enctype = p[i];
ret = 0; ret = 0;
if (is_preauth && ret_key != NULL && if (is_preauth && ret_key != NULL &&
!is_default_salt_p(&def_salt, key)) !is_good_salt_p(&def_salt, key))
continue; continue;
} }
} }
@@ -310,7 +327,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
enctype = etypes[i]; enctype = etypes[i];
ret = 0; ret = 0;
if (is_preauth && ret_key != NULL && if (is_preauth && ret_key != NULL &&
!is_default_salt_p(&def_salt, key)) !is_good_salt_p(&def_salt, key))
continue; continue;
} }
} }