kdc: Still prefer encryption types with "not default" salts except for des-cbc-crc

Samba clients are often machine accounts with non-default salts that will fail if they can't use the AES encryption type they know the KDC supports. The problem is that arcfour-hmac-md5 has no salt so was being used in preference. Samba started to fail when kdc_config->preauth_use_strongest_session_key = true; was forced into the KDC configuration. The history here is an attempt to avoid Kerberos v4 salts in des-cbc-crc keys, but this instead broke Samba clients with AES-keys on machine accounts as these have a non-default salt by default. These accounts were incorrectly restricted to arcfour-hmac-md5 and they didn't like that. A broader fix than Samba commit 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53 REF: https://lists.samba.org/archive/samba/2021-October/237844.html Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864 Change-Id: Ia8908a5a2eef107e6b133d7f0e4343c1988c18bb
2021-11-16 10:51:06 +13:00
parent 9fb444983e
commit 9a0372d992
1 changed files with 19 additions and 2 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -119,6 +119,23 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key)
    return TRUE;
 }

+/*
+ * Detect if `key' is the using the the precomputed `default_salt'
+ * (for des-cbc-crc) or any salt otherwise.
+ *
+ * This is for avoiding Kerberos v4 (yes really) keys in AS-REQ as
+ * that salt is strange, and a buggy client will try to use the
+ * principal as the salt and not the returned value.
+ */
+
+static krb5_boolean
+is_good_salt_p(const krb5_salt *default_salt, const Key *key)
+{
+    if (key->key.keytype == KRB5_ENCTYPE_DES_CBC_CRC)
+	return is_default_salt_p(default_salt, key);
+
+    return TRUE;
+}

 krb5_boolean
 _kdc_is_anon_request(const KDC_REQ *req)
@@ -277,7 +294,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
                        enctype = p[i];
                        ret = 0;
                        if (is_preauth && ret_key != NULL &&
-                            !is_default_salt_p(&def_salt, key))
+                            !is_good_salt_p(&def_salt, key))
                            continue;
                    }
                }
@@ -310,7 +327,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags,
                enctype = etypes[i];
 		ret = 0;
 		if (is_preauth && ret_key != NULL &&
-		    !is_default_salt_p(&def_salt, key))
+		    !is_good_salt_p(&def_salt, key))
 		    continue;
 	    }
 	}