[19613] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Checking the transited list of a kerberos ticket in a transitive

daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Fri Aug 18 09:24:48 2017

To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
        "kitten@ietf.org" <kitten@ietf.org>,
        Samba Technical <samba-technical@lists.samba.org>,
        "heimdal-discuss@h5l.org" <heimdal-discuss@h5l.org>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <fe30e2fa-089e-9142-e868-49f6f17cd1c3@samba.org>
Date: Fri, 18 Aug 2017 15:22:04 +0200
MIME-Version: 1.0
In-Reply-To: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
Content-Type: multipart/mixed; boundary="===============3248614499077651086=="
Errors-To: krbdev-bounces@mit.edu

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3248614499077651086==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI
Content-Type: multipart/mixed; boundary="7qMqI6IB7IdHBMHJTBmsJ81MSe8HQMfPC";
	protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
	"kitten@ietf.org" <kitten@ietf.org>,
	Samba Technical <samba-technical@lists.samba.org>,
	"heimdal-discuss@h5l.org" <heimdal-discuss@h5l.org>
Message-ID: <fe30e2fa-089e-9142-e868-49f6f17cd1c3@samba.org>
Subject: Re: Checking the transited list of a kerberos ticket in a transitive
	cross-realm trust situation...
References: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
In-Reply-To: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>

--7qMqI6IB7IdHBMHJTBmsJ81MSe8HQMfPC
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Moving this from heimdal-discuss@sics.se to heimdal-discuss@h5l.org,
sorry...

Am 18.08.2017 um 14:35 schrieb Stefan Metzmacher via samba-technical:
> Hi,
>=20
> I'm currently researching on how I can implement S4U2Self in
> Samba's winbindd in order to get the PAC with the full
> Windows authorization token in a reliable way for any user
> within an active directory forest as well across transitive
> forest trusts.
>=20
> The only thing that should be required is a service (computer) account
> in the primary domain/realm.
>=20
> But in practice I'm facing several problems:
>=20
> Heimdal (at least the copy of ~ 1.5 within Samba)
> doesn't support S4U2Self for cross-realm trusts.
>=20
> MIT (tested with 1.14.3) supports S4U2Self for
> cross-realm trusts, which are in simple hierarchy.
> Otherwise it complains and returns KRB5KRB_AP_ERR_ILL_CR_TKT.
> That can be fixed if I add the correct magic to the [capaths] section
> of krb5.conf.
>=20
> The problem happens when you have 2 tree root domains within an
> active directory forest together with a forest trust.
>=20
> In my case I have a forest called W4EDOM-L4.BASE with a single domain
> and a forest called BLA.BASE with a 2nd domain BLA2.BASE.
>=20
> So trust path between W4EDOM-L4.BASE and BLA2.BASE goes via BLA.BASE.
>=20
> In an active directory environment domain members just delegate
> authentication to the domain controllers, so they trust
> their DCs to do the correct things, e.g. applying SID-Filtering
> for the PAC within the tickets.
>=20
> So the service can just verify the PAC was correctly signed by
> a KDC of it's own realm and everything else shouldn't matter,
> it doesn't have to know about the full trust topology!
>=20
> While thinking about this I can't see any value in checking the
> transited list of the ticket. As that list is always under the
> control of the KDC that issued the ticket. And the service
> trusts it's own KDC anyway, as well as any KDC in the trust
> chain trusts the next hop. The only reason for this list
> might be debugging.
>=20
> The thing is that KDC's should apply some policies
> of which client realms can come over which direct trust.
> As KDC's have some knowledge about the trust topology.
> This is basically what the SID-Filtering in active directory
> is for, it prevents DCs from other domains/realms to impersonate
> principals of the local realm.
>=20
> Is there any reason to keep the krb5_check_transited() (in Heimdal)
> and krb5_check_transited_list() (in MIT) is their current form?
>=20
> If a KDC checks something it should be checking the PA-TGS-REQ,
> and verify the client realm is allowed to transit via the
> realm of the (cross-realm) tgt. But checking the transited field
> of the ticket seems pointless to me.
>=20
> If there's however a good reason to keep the checks for non
> active directory realms, I'd propose to add something like
> gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X)
> to Heimdal and MIT in order to allow applications to avoid
> the pointless checks.
>=20
> Comments on this would be highly appreciated!
>=20
> If you're not so familiar with active directory domains,
> please have a look at:
> https://www.samba.org/~metze/presentations/2017/SambaXP/StefanMetzmache=
r_sambaxp2017_windows_authentication-rev1-handout.pdf
>=20
> Thanks!
> metze
>=20



--7qMqI6IB7IdHBMHJTBmsJ81MSe8HQMfPC--

--sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJZlun/AAoJEA219WEoab1WVjEQAJckqMOIjULNVC8aj4V7Zxpo
0TXoSOvtC++n/dTRNJ3sUmn+qHOEVpvBCcjTslciC+5RKsdZNPk6pkvcOX6s2tmQ
tBjQ76O9SOZBJ3z0wjsqTIuBGx6Yg3+piUcNOaGqezRMd2wtjhrz1ziKxKcKgMZP
qfVVZiSOJKkN407hj1EWeyQ5aGyv9cmchpzY01hSiWdDn/o252PccLIfwbAWl0UI
TcfG+kzVSmIfz0qBR+5O11lBknXez7CDPEK+8IX411byIj32YVYOBOZhSKxESYUk
B8L31km4lPZfbwXTipxqA2ssLCGYIZgAGG8MGPrdprM70fXHuQTmL1nTu22FnzZu
bWwMl2Ooxb5EjLoL1OEkxov2T1Rc8dStLHqXXoVj2qHjj7hsic67wyd8rHF1o7WM
+v0nmBTaEVXfm0E1yYMEZRrDUXiXeP9VCE7u3RvhXUKGSy0Jl9wmwMZSCjsAgnfc
V6Uueah6a7q3UJWQL5/4zFI6zU6FZFgjIn0N6qmGRIJjroVET53ZQQ4wF0CirxeR
DYuFqczx9Lx1Q04G/6+pfRWAQAUL1AIAc2J7Vst0xQEYR7l9aofrNtTxA5CbihHi
gj2gEBB/8WYih1Iw61sXHQHw92iZIAzRS3hwIHXXuADLFEGxYZfqOzgtbsCJmYkO
q3LJXY7bpTErOblgjt2q
=/udw
-----END PGP SIGNATURE-----

--sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI--

--===============3248614499077651086==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

--===============3248614499077651086==--

home help back first fref pref prev next nref lref last post