Add PAC_ATTRIBUTES_INFO to the PAC. This info buffer indicates whether the user
explicitly requested a PAC be present or absent.
Note: this changes the windc plugin ABI.
Use the UPN_DNS_INFO buffer of the PAC to include the canonical principal name.
Arguably we should use AD-LOGIN-ALIAS as defined in RFC6806, but we may not
always know all the principal's aliases, and this approach allows us to share
application service logic with Windows.
If the UPN_DNS_INFO buffer in the Windows PAC contains a canonical principal
name, use it in lieu of the ticket client name to determine the GSS-API
initiator name.
See `asn1: Add --decorate=... for internal bookkeeping`, which adds an
option to `asn1_compile` for decorating SET/SEQUENCE types with fields
that are neither encoded nor decoded, but which _are_ copied and freed.
We'll use this to add name attributes to the `Principal` type (which is
used to represent Kerberos principal names in the krb5 GSS mechanism)
without having to rototill the GSS krb5 mechanism nor the krb5 library,
and without affecting the encodings of HDB entries (which happen to use
the `Principal` type).
This option, `--decorate=TYPE-NAME:FIELD-TYPE:field-name[?]` allows one to add
a field to any struct generated by the ASN.1 compiler for any SET or SEQUENCE
type such that:
- the field will be freed by the `free_TYPE_NAME()` function
- the field will be copied by the `copy_TYPE_NAME()` function
- the field will not be printed by the `print_TYPE_NAME()` function
- the field will NOT be encoded or decoded
This is useful for internal bookkeeping.
The first use of this may well be for adding an optional field to
`Principal` where information about name attributes will be stored,
which will then allow us to have GSS name attributes for the krb5
mechanism w/o having to refactor the mechanism to use a different
structure for representing `gss_name_t` mechnames than the one currently
used (`Principal`; `krb5_principal` happens to be a typedef alias of
`Principal *`).
So w/o massive rototilling of the GSS krb5 mechanism we can have name
attributes, _and_ we'll also be able to have those in the krb5 API as
well w/o any massive rototilling there either.
r->client_princ and r->server_princ are only set in the AS-REQ case, but
we perform the PAC check in the TGS-REQ case, so calling
krb5_unparse_name() will dereference a NULL pointer. Instead, use
r->cname and r->sname.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
add HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL to the capability flags for the
SQLite backend, as it uses the common _hdb_fetch_kvno() helper which supports
enterprise principals.
Failure to set this flag resulted in hdb_fetch_kvno() incorrectly returning
HDB_ERR_WRONG_REALM when enterprise principals were being used, as the
enterprise name translation was instead done by _kdc_db_fetch(), thereby
squashing the enterprise name type (which otherwise would have set the
force_canonicalize option).
08e0305b introduced a patch to validate armor ticket PACs, but required that
the armor client principal was in the local realm (as it did not allow
_kdc_db_fetch() to fail).
Allow cross-realm FAST armor clients by using the same logic to look up the
client principal as the TGS itself does, i.e. use db_fetch_client() which
handles the case where the client is not local to the KDC.
Note: the armor PAC is only required to be validated when issuing a final,
non-referral service ticket, as this is the only point upon which device claims
should be inserted (according to my understanding).
Closes: #901
Add a new authorization data type to indicate a synthetic principal was used,
to allow synthetic clients acquired outside of PKINIT (e.g. with GSS-API
pre-authentication) to use the TGS.
Note: we continue to honor KRB5_AUTHDATA_INITIAL_VERIFIED_CAS to indicate that
it is OK for the client to be synthetic, even though it is only an indication
that the client *may* have been synthetic.
This reverts commit 6f81e4c93b.
This patch may have originated in Samba from before force_canonicalize was
supported. Because the server_principal argument to tgs_make_reply() is
canonicalized prior to calling (if the server entry has force_canonicalize
set), honoring it again in tgs_make_reply() is superfluous.
Initialize the tgs_req buffer in init_tgs_req() so pointers are valid when
freed. Fixes regression introduced when Apple TGS-REQ FAST code was imported in
PR #805.
Look up the client name of the armor TGT in the database, and check that
the PAC is valid.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Closes: #891
This allows Samba to have a behaviour where
even if canonicalize flag is not set, the canonical realm
is returned, allowing a HDB module to require behaviour
that is the same as Windows.
Regression (for a HDB module wanting AD behaviour) was
introduced by commit:
378f34b4be
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
[abartlet@samba.org Similar to Samba commit a9e6119ca0c2a78ef314c3162122539ee834aa04
but made conditional on server->entry.flags.force_canonicalize to
allow upstream submission]
If the pre-authentication mechanism replaced the reply key, then the kvno in
the KDC-REP should be zero, as the reply is not encrypted in the client's
(versioned) long-term key.
Closes: #899
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.
We also log the authentication duration.
This is not a general purpose profiling solution, but in Smaba
these JSON logs are already being generated and stored, so this
is worth adding.
Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
Samba processes.
We use config->db[0] to find the first database to record incorrect
users.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(Similar to Samba commit f498ba77df2313e78863e5f2706840c43e232a96 and
bb2a1c6b3eaccf114ac3f3b5b51f57828a04996)
[metze@samba.org: improved for heimdal upstream]
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org: improved again for Heimdal based on feedback]
AES256 and AES128 are newer enctypes because they are officially
specified in RFC4120 and RFC8009, while enctypes not officially
specified since RFC4120 are considered older. This function differs from
older_enctype() in that it does not report unknown or non-existent
enctypes as being 'newer'.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Assists Samba to address CVE-2020-25719
It is critical to ensure that the name in the U2U TGT is still associated with
the account was issued to, so we must check the PAC to verify the SID.
Otherwise the SPN check via the S4U2Self hook might be mislead.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Similar to Samba commit 49a13f0fc942d1cfb767d5b6bf49d62241d52046)
Assists Samba to address CVE-2020-25719
Again, this may be contary to RFC4120 3.3.3
https://datatracker.ietf.org/doc/html/rfc4120/#section-3.3.3
(clearer at the GSS spec here:
https://datatracker.ietf.org/doc/html/draft-swift-win2k-krb-user2user-03 )
as server-name is decribed as optional, however Windows AD and Samba
both require that the server-name exist and be a valid SPN matching
the provided TGT.
The lookup of SPN -> entry ensures that the SPN the client thought it
was connecting to was held by the target server. it could be the
typical user principal, or a service principal, but needs to be checked
for the client not to be fooled into connecting to the wrong service.
The check is the same as needed for S4U2Self so the same HDB hook is re-used.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
(Similar to Samba commit f08e6ac86226dcd939fd0e40b6f7dc80c5c00e79)
Assists Samba to address CVE-2020-25719
This may be contary to RFC4120 3.3.3 at
https://datatracker.ietf.org/doc/html/rfc4120/#section-3.3.3
(clearer in the GSS mechanism here:
https://datatracker.ietf.org/doc/html/draft-swift-win2k-krb-user2user-03 )
as server-name is decribed as optional, however Windows AD and Samba
both require that the server-name exist and be a valid SPN matching
the provided TGT.
The lookup of SPN -> entry ensures that the SPN the client thought it
was connecting to was held by the target server. it could be the
typical user principal, or a service principal, but needs to be checked
for the client not to be fooled into connecting to the wrong service.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Similar to Samba commit fd50fecbe99ae4fc63843c796d0a516731a1fe6a)
Assists Samba to address CVE-2020-25719
Passing in target_server as a string principal means that for
an alias we must looking up the DB twice.
This is subject to a race and is a poor use of resources,
so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.
We also avoid doing a name comparison if the HDB plugin provides
a validation hook, this allows the HDB layer more freedom
to choose how to handle things.
In Samba AD the client record has already been bound to the the
original client by the SID check in the PAC, so the record is
known to match the ticket.
Likewise by looking up server only once we ensure that the
keys looked up originally (to decrypt) are in the record
we confirm the SID for here.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(Based on Samba commit 05898cfb139ae0674c8251acc9d64c4c3d4c8376)