[19831] in Kerberos_V5_Development
Re: kdc: cross realm s4u2self handling
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Sat Sep 29 01:35:00 2018
MIME-Version: 1.0
In-Reply-To: <CAC-fF8RUgZnE9AZTjSeWsD_OPHq-wAXEyzdr3xErKM+3Vo2Jtg@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 29 Sep 2018 11:04:26 +0530
Message-ID: <CAC-fF8TeWJTPYkcdYzfV39yYoTRtXdh852mR9-qSgrao2T-Ykw@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, Sep 21, 2018 at 8:20 AM Isaac Boukris <iboukris@gmail.com> wrote:
>
> On Thu, Sep 20, 2018 at 4:03 AM, Greg Hudson <ghudson@mit.edu> wrote:
> > It occurs to me that a within-realm S4U2Self request (i.e. one using a local
> > TGT header ticket rather than a cross-TGT one) should still fail if it
> > results in a referral. I will try to put together a test case for that.
>
> I see, though I'm not sure I understand how this would happen.
>
> At any case, would it suffice to condition the check on:
> is_local_principal(kdc_active_realm, header_ticket->server)
> Or perhaps on (are those two necessarily equivalent here btw?):
> !is_cross_tgs_principal(header_ticket->server)
Also note, another assumption I made in Heimdal, was to skip the check
of 'ok_to_auth_as_delegate' before copying the forwardable flag when
issuing a referral.
For similar reasons; technically we don't have a DB entry to check,
and logically we are not issuing the service ticket but a referral so
let the final KDC do the check.
To my understanding, MIT code already has this assumption, see (which
suggests again that referrals are intended to work for s4u2self):
https://buildfarm.opencsw.org/source/xref/krb5/src/kdc/do_tgs_req.c#434
> >> Other than that, what do you think of the pac_verify/sign_ex() routines,
> >> does it look ok?
> >
> > I looked over them briefly and don't have a problem with them. If you
> > submit a PR I will examine them more closely and cross-check against
> > [MS-PAC] and [MS-SFU].
This is now PR #852.
I got into some troubles when I tried to add unit-tests, first I
noticed that if a PAC is already signed, then the sign function would
just verify instead of re-signing, which would fail if it was signed
without realm and we want to sign it with realm.
It wasn't a problem in my tests with samba plugin, since the latter
always creates a new PAC and populates it anew, so I left that
unsupported.
Another issue was, enterprise principal with realm, as it got unparsed
to this when signing:
(gdb) p pac_princname
$25 = 0x60a8b0 "w2003final$\\@WIN2K3.THINKER.LOCAL@WIN2K3.THINKER.LOCAL"
So for this case I added KRB5_PRINCIPAL_UNPARSE_DISPLAY flag when
parsing the name to avoid the escaping.
I think we might want to add it generally (heimdal does it).
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
