[19627] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

PAC verification fails for enterprise principals

daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Wed Aug 23 19:19:29 2017

To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <76ac560a-6c63-a875-d5dd-0ff38f5bd6e5@samba.org>
Date: Thu, 24 Aug 2017 01:19:16 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3394892913939583484=="
Errors-To: krbdev-bounces@mit.edu

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3394892913939583484==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="aNi3UIqPVAtGhLt9pKBnw8EpBtU9M6AQT"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--aNi3UIqPVAtGhLt9pKBnw8EpBtU9M6AQT
Content-Type: multipart/mixed; boundary="eUEot5UEAakNihl5j9kQWww9jbSgJ54iJ";
	protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Message-ID: <76ac560a-6c63-a875-d5dd-0ff38f5bd6e5@samba.org>
Subject: PAC verification fails for enterprise principals

--eUEot5UEAakNihl5j9kQWww9jbSgJ54iJ
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Hi,

I found that krb5_pac_verify() fails if I asked for
S4U2Self with an enterprise principal.

The problem is that k5_pac_validate_client()
uses this:

    ret =3D krb5_parse_name_flags(context, pac_princname,
                                KRB5_PRINCIPAL_PARSE_NO_REALM,
                                &pac_principal);
    if (ret !=3D 0) {
        free(pac_princname);
        return ret;
    }

    free(pac_princname);

    if (pac_authtime !=3D authtime ||
        !krb5_principal_compare_flags(context,
                                      pac_principal,
                                      principal,
                                   KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
        ret =3D KRB5KRB_AP_WRONG_PRINC;

The value in the Client Info PAC element is the principal without
the realm part.
The KRB5_PRINCIPAL_PARSE_NO_REALM means we'll discard the @... part
of an enterprise principal.

The question is should I somehow add a flags variable that may
get |=3D KRB5_PRINCIPAL_PARSE_ENTERPRISE?

Heimdal uses a different approach:

    ret =3D krb5_unparse_name_flags(context, principal,
                                  KRB5_PRINCIPAL_UNPARSE_NO_REALM |
                                  KRB5_PRINCIPAL_UNPARSE_DISPLAY,
                                  &principal_string);
    if (ret) {
        free(logon_string);
        return ret;
    }

    ret =3D strcmp(logon_string, principal_string);
    if (ret !=3D 0) {
        ret =3D EINVAL;

I'd prefer to take over the logic from Heimal, if that's ok
I'll prepare a patch for that.

metze


--eUEot5UEAakNihl5j9kQWww9jbSgJ54iJ--

--aNi3UIqPVAtGhLt9pKBnw8EpBtU9M6AQT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJZng15AAoJEA219WEoab1WfdMQALKsAgdcOqUdj0s07vEHy+aX
teHW9h+qYEg9jk6GoWdtCh+q1hLQibEp3NH/V5dn4VTFwMpDXL73+Z2QjxfJD2pU
KOvO1fNTP9DtfDBOzGOTUrII9UkPu+4Xb+pFUbINFrOJVRnxZIWVFcXqja3TGg7z
trSE5jdrPuQNvgQQeTSrO/gPYGjhMe1ZVuO4ticMVvd6u87qmssDzejl9TZFIa3k
D7HHISBoTGzFLGTS6xRUAGLy9hee57dqD2azk/kpEfPdUKEgTZ57P/2x2ZbZzJKt
ZSbFPRP4C3UfN9n8msJCxo1w4FMGrtNbAHNWDXXwQZ9ZilxFB5yMQrxBfcfJ0zPB
yO7K5GxNKs4o9vaNzTkq66AkrnF976beaONAGmP+32yGvJu9E4xM8AL1uScahoTA
GX4Pgb3t+6XpCOTCx3tbeaP1RJhFNQHAdml9oA5NFrDzrHI5GFJ0VG4ATvadmzTL
TG6xXLRsPB9SB7S5pJbaT3ogko1eFMI+DDGvpkpwRyaoM3ew0EvZT3xgnRtBAnqy
E7NTmvKluUgvLG9tE5u9gF0RHuj9Hig3z41VxyKsbZmuWDevGdZKuKB9Kz++6Yc9
PrF6RCBo16lHmDdFYMSNOTIUqLA6HFR98VcnderaYhfeSoVYuE7i3sw0rlaX8p6r
A0vmFzq83Dz/mljwzIlN
=CnkZ
-----END PGP SIGNATURE-----

--aNi3UIqPVAtGhLt9pKBnw8EpBtU9M6AQT--

--===============3394892913939583484==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

--===============3394892913939583484==--

home help back first fref pref prev next nref lref last post