From 04b262f686b5b16ba659ade1e4b5778e2b219f0a Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 16 Sep 2019 16:40:12 +0300 Subject: [PATCH 1/2] Adapt sign_authdata in our KDB module for krb5 v1.18 Signed-off-by: Isaac Boukris --- source4/kdc/mit-kdb/kdb_samba.c | 2 +- source4/kdc/mit-kdb/kdb_samba.h | 21 +++++++++++++++++++++ source4/kdc/mit-kdb/kdb_samba_policies.c | 24 ++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 1 deletion(-) diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c index c5157d6ed1b..02bbdca9f54 100644 --- a/source4/kdc/mit-kdb/kdb_samba.c +++ b/source4/kdc/mit-kdb/kdb_samba.c @@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context, kdb_vftabl kdb_function_table = { .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, - .min_ver = 1, + .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0, .init_library = kdb_samba_init_library, .fini_library = kdb_samba_fini_library, diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h index 22ef9085b6a..ad4f6e27573 100644 --- a/source4/kdc/mit-kdb/kdb_samba.h +++ b/source4/kdc/mit-kdb/kdb_samba.h @@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context, /* from kdb_samba_policies.c */ +#if KRB5_KDB_API_VERSION < 10 krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, unsigned int flags, krb5_const_principal client_princ, @@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_timestamp authtime, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data); +#else +krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, + krb5_const_principal server_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_db_entry *local_krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_keyblock *local_krbtgt_key, + krb5_keyblock *session_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, + void *authdata_info, + krb5_data ***auth_indicators, + krb5_authdata ***signed_auth_data); +#endif krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, krb5_kdc_req *kdcreq, diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index fc80329f221..e2f7174b0c2 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -287,6 +287,7 @@ done: return code; } +#if KRB5_KDB_API_VERSION < 10 krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, unsigned int flags, krb5_const_principal client_princ, @@ -301,6 +302,29 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data) { +#else +krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, + krb5_const_principal server_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_db_entry *local_krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_keyblock *local_krbtgt_key, + krb5_keyblock *session_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, + void *authdata_info, + krb5_data ***auth_indicators, + krb5_authdata ***signed_auth_data) +{ + krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; +#endif krb5_const_principal ks_client_princ; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; -- 2.24.1 From c968ec07fa403ed919dcda7b3087e0d10d1e7a32 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 16 Jan 2020 22:00:21 +0100 Subject: [PATCH 2/2] Sign and verify PAC with ticket principal instead of canon principal With MIT library 1.18 the KDC no longer set KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows us to not canonicalize them (like in Windwos / Heimdal). However, it now breaks the PAC signature verification as it was wrongly done using canonical client rather than ticket client name. Signed-off-by: Isaac Boukris --- source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index e2f7174b0c2..6a5f06a8a8c 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -325,20 +325,12 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; #endif - krb5_const_principal ks_client_princ; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; krb5_error_code code; krb5_pac pac = NULL; krb5_data pac_data; - /* Prefer canonicalised name from client entry */ - if (client != NULL) { - ks_client_princ = client->princ; - } else { - ks_client_princ = client_princ; - } - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { @@ -351,7 +343,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, if (!is_as_req) { code = ks_verify_pac(context, flags, - ks_client_princ, + client_princ, client, server, krbtgt, @@ -378,7 +370,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, goto done; } - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, + code = krb5_pac_sign(context, pac, authtime, client_princ, server_key, krbtgt_key, &pac_data); if (code != 0) { DBG_ERR("krb5_pac_sign failed: %d\n", code); -- 2.24.1