If use_strongest_session_key and no keys are found the return
code will be set to KRB5KDC_ERR_ETYPE_NOSUPP. However, before
exiting if the principal is a weak exception then the return
code will be set to success and a NULL key pointer will be
dereferenced. Skip the weak exception check if the return
code is non-zero.
Change-Id: I36d0e1b179b3392171ad6767c75111d59c3f2f7d
Samba clients are often machine accounts with non-default salts that
will fail if they can't use the AES encryption type they know the KDC
supports. The problem is that arcfour-hmac-md5 has no salt so was
being used in preference.
Samba started to fail when
kdc_config->preauth_use_strongest_session_key = true;
was forced into the KDC configuration.
The history here is an attempt to avoid Kerberos v4 salts in des-cbc-crc
keys, but this instead broke Samba clients with AES-keys on machine accounts
as these have a non-default salt by default. These accounts were incorrectly
restricted to arcfour-hmac-md5 and they didn't like that.
A broader fix than Samba commit 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53
REF: https://lists.samba.org/archive/samba/2021-October/237844.html
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864
Change-Id: Ia8908a5a2eef107e6b133d7f0e4343c1988c18bb
Tighten up all of the call sites of hx509_request_get_san()
to free the output string returned upon failure.
Use frees(&s) instead of free(s); s = NULL;.
Change-Id: I71035d7c1d2330a1a3a1b3b730cdd6ba1e6b7da3
Change-Id: I4e872126f5c1deb48d36f5bdac22da7c0df3c8a1
warning: missing braces around initializer [-Wmissing-braces]
warning: (near initialization for 'fastreq.fast_options') [-Wmissing-braces]
warning: missing initializer for field 'padata' of 'struct KrbFastReq' [-Wmissing-field-initializers]
Now that ETYPE_xxx names are macros to the KRB5_ENCTYPE_xxx
symbols there is no longer a need to cast to (krb5_enctype).
Change-Id: Ib561f6e45346abac7a53eb1db0bfef60ee3bcb74
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
Decorate HDB_entry with context and move free_entry callback into HDB structure
itself. Requires updating hdb_free_entry() signature to include HDB parameter.
A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
member) into hdb_entry.
This is not a very good fix, though the warnings remain. Such errors
can in principle be a problem because in C there is no standard enum
sizing.
In this case we have two enums with the same elements and so the same
size, so it's clearly not a problem.
Recent auditing changes (b1dcc1a4) introduced a leak into pa_enc_ts_validate()
where the encryption type name and error message could be leaked.
This patch fixes a compile error in the original commit.
Add some notes about the KDC plugin API contract, and require plugins to
explicitly indicate which version of the API they support (remove the macro
alias for the current version).
r->canon_client_princ is always an alias to r->client->entry.principal in the
AS, but use it for consistency with the TGS. (In the TGS, it may also come from
te PAC.)
Move the Services for User (SFU/S4U) implementation -- protocol transition and
constrained delegation -- into its own compilation unit, with an interface that
only takes an astgs_request_t, so it can be easily factored out into a plugin
module in the future.
This refactoring is also careful to update all client names in the request
structure after the SFU/S4U validation has successfully completed.
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
ASTGS_REQUEST_DESC_COMMON_ELEMENTS should not terminate in a semi-colon;
the consuming structure should include it. This is consistent with
HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS. This fixes the build on Windows.
Annotate libkdc APIs with KDC_LIB_{CALL,FUNCTION} to ensure correct calling
convention and optimized DLL importing on Windows.
Ensure Windows and libtool export tables are consistent.
Now heim_audit_addkv() correctly supports multiple values, the other functions
that (by design) replace existing values with a single value should use the
heim_audit_setkv prefix.
A subsequent commit could add variants that support multiple values for
non-string types.
