Andrew Bartlett [Fri, 17 Nov 2023 04:40:33 +0000 (17:40 +1300)]
lib/krb5: Align with MIT behaviour and provide krb5_init_creds_opt_set_fast_ccache() and krb5_init_creds_opt_set_fast_flags()
It is easier for external callers to manipulate the krb5_get_init_creds_opt
(via the helpers) as this is passed down from higher up than the krb5_init_creds_context.
And just as importantly, alignment with MIT makes end-user callers happier.
Finally, this resolves the ambiguity as to which layer owns the
krb5_ccache, because now we match the MIT behaviour the init_creds code
re-opens a private copy inside libkrb5, meaning the caller closes the
cache it opened, rather than handing it over to the library.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 21 Sep 2023 23:16:31 +0000 (11:16 +1200)]
kdc: Note that the sname of a ticket may not be relied upon
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 21 Sep 2023 22:35:11 +0000 (10:35 +1200)]
krb5: Consider a single‐component krbtgt principal to be the TGS
This matches the behaviour of Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 21 Sep 2023 22:54:42 +0000 (10:54 +1200)]
hdb: Avoid passing a NULL pointer to strcmp()
To do so is to invoke undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 21 Sep 2023 22:36:47 +0000 (10:36 +1200)]
kdc: Make use of krb5_principalname_is_krbtgt()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 21 Sep 2023 23:35:35 +0000 (11:35 +1200)]
krb5: Make use of krb5_principalname_is_krbtgt()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 21 Sep 2023 22:32:07 +0000 (10:32 +1200)]
krb5: Add function to determine whether a principal name is a krbtgt principal
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 21 Sep 2023 23:20:49 +0000 (11:20 +1200)]
kcm: Make use of krb5_principal_is_krbtgt()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Tue, 10 Oct 2023 13:23:35 +0000 (15:23 +0200)]
kdc: introduce HDB_F_USER2USER_PRINCIPAL
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.
But for User2User the account password is not used,
so it is safe to return the server entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 4 Aug 2023 01:14:54 +0000 (13:14 +1200)]
hdb: Provide client entry to RBCD plugin
This helps with passing claims through to the RBCD access check.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Kacper Boström [Thu, 5 May 2022 11:03:27 +0000 (13:03 +0200)]
kdc: support pkinit_kdc_revoke for pkinit anchors
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 5 Jul 2023 02:43:20 +0000 (14:43 +1200)]
pkinit: Correctly pad Diffie-Hellman key
If the Diffie-Hellman key was ‘n’ bytes too short, we would shift it to
the right ‘n’ places, padding it out to the correct length to compute
the reply key.
Unfortunately, we forgot to increase the size of the key accordingly, so
‘n’ trailing key bytes would be discarded. This could mean failure to
decrypt a reply when interoperating with a Kerberos implementation
without this bug.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 4 Jul 2023 00:46:22 +0000 (12:46 +1200)]
kdc: Add KDC support for PKINIT Freshness extension (RFC 8070)
Clients indicating support for PKINIT Freshness (by means of an empty
PADATA_AS_FRESHNESS type) will receive in the reply a freshness token to
be included in the client’s PK-INIT request which proves the client’s
recent possession of the private key.
The require-pkinit-freshness option, if enabled, will reject PK-INIT
requests that lack this token.
Freshness tokens are only supported with the PA-PK-AS-REQ padata type.
The PA-PK-AS-REQ-Win2k type has no field to contain a freshness token.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 4 Jul 2023 00:46:19 +0000 (12:46 +1200)]
kdc: Move TGS lookup to before preauth data validation
For a PK-INIT request, we want to have the local krbtgt key available to
encrypt a new freshness token, and to decrypt a freshness token sent us
by a client.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 4 Jul 2023 00:46:38 +0000 (12:46 +1200)]
kdc: Fix spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 4 Jul 2023 00:43:43 +0000 (12:43 +1200)]
kdc: Fix leak with PK-INIT-Win2k
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Sun, 2 Jul 2023 22:42:43 +0000 (10:42 +1200)]
kdc: Prefer nonce in PKAuthenticator over that in request body
This matches the behaviour of the Windows KDC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 20 Jun 2023 04:10:20 +0000 (16:10 +1200)]
kdc: Add support for resource-based constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 20 Jun 2023 04:10:02 +0000 (16:10 +1200)]
hdb: Add hook for resource-based constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Thu, 22 Jun 2023 13:51:08 +0000 (15:51 +0200)]
kdc: add kdc_request_get_[explicit_]armor_server
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 25 May 2023 02:45:04 +0000 (14:45 +1200)]
kdc: Add KDC_AUTH_EVENT_CLIENT_FOUND authentication event
This is to ensure that we have an event to log if the request fails
early (for example, in _kdc_check_access()).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 24 May 2023 04:02:08 +0000 (16:02 +1200)]
Revert "Verify flags after the user been required to prove its identity * with"
This reverts commit
6561b13ccb504ba545b4e58fbe4c2f5dda3589cd.
Samba uses the ‘client_access’ plugin hook to enforce device
restrictions. Windows enforces device restrictions before checking the
client’s pre-authentication (shown by authenticating with the wrong
password when device restrictions are present). Therefore we should call
_kdc_check_flags() earlier, before checking pa-data.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 03:53:56 +0000 (15:53 +1200)]
kdc-plugin: Provide plugin with delegated proxy HDB entry and PAC
These are needed to be able to enforce Microsoft’s authentication
policies properly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 03:51:13 +0000 (15:51 +1200)]
kdc: Check server of constrained delegation evidence ticket
This is to make sure that the delegating server hasn’t just presented a
ticket to a completely different service with a forged ‘sname’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 03:43:38 +0000 (15:43 +1200)]
kdc-plugin: Make ‘client_principal’ const
‘krb5_principal’ is a typedef, and ‘const krb5_principal’ is not const
in the way that one might think.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 03:32:00 +0000 (15:32 +1200)]
kdc: Validate armor TGT for AS-REQs
The KDC plugin requires the armor PAC in order to be able to enforce
device restrictions.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 03:16:46 +0000 (15:16 +1200)]
kdc: Don’t update the PAC if we perform Services for User
_kdc_validate_protocol_transition() generates an entirely new PAC, and
_kdc_validate_constrained_delegation() performs its own PAC update. The
call to _kdc_pac_update() immediately beforehand thus becomes
superfluous.
Furthermore, the way Windows enforces authentication policies when
Services for User are employed means that we should only call the
plugin’s PAC update function when it is actually necessary, or we may
end up failing with ERR_POLICY errors.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 03:01:48 +0000 (15:01 +1200)]
kdc: Have caller perform checking for _kdc_validate_constrained_delegation()
This means that the function now has no early success case — now it
should be called only when applicable. A successful return code now
indicates that constrained delegation took place successfully.
This is closer to how this code used to be prior to commit
0287558838de79313e38026d2f0905ffc987d0b8.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 02:56:54 +0000 (14:56 +1200)]
kdc: Have _kdc_validate_protocol_transition() take PA-DATA parameter
This means that the function now has no early success case — now it
should be called only when applicable. A successful return code now
indicates that a successful protocol transition took place.
This is closer to how this code used to be prior to commit
0287558838de79313e38026d2f0905ffc987d0b8.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 02:44:47 +0000 (14:44 +1200)]
kdc: Inline calls to Services for User functions
We shall presently need to change the logic of these function calls,
which we cannot do while they are contained in a wrapper function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 19 Jun 2023 02:29:15 +0000 (14:29 +1200)]
kdc: Provide kdc_request_get_armor_{clientdb,client,pac}()
A plugin might need the armor PAC in order to validate that the client
is allowed to authenticate using a specific device. Currently, that
information is only made available if explicit TGS armor is used.
We now enable the plugin to access this information if any kind of FAST
armor is used. The existing kdc_request_get_explicit_armor_*() functions
are kept around for convenience.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Fri, 9 Jun 2023 02:50:17 +0000 (14:50 +1200)]
kdc: Add enable_fast_cookie option (enabled by default)
This option allows the FAST cookie and mechanisms relying upon it to be
disabled, and for a dummy FX-COOKIE string to be sent instead. This is
useful for Samba, which has no need for the cookie in order to implement
Active Directory, and in which the relevant code is completely untested.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 18 Apr 2023 02:28:01 +0000 (14:28 +1200)]
kdc: Check lifetime of correct ticket
The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 17 May 2023 04:00:15 +0000 (16:00 +1200)]
kdc: Allow e_data field of KDC request structure to override error data in reply
If the e_data field in the KDC request structure has been set, use that
in preference to creating the error data ourselves.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 1 Dec 2022 02:35:56 +0000 (15:35 +1300)]
kdc: Split out function to create error data
The creation of FAST e-data is now handled by a new function,
_kdc_fast_mk_e_data().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 17 May 2023 03:55:55 +0000 (15:55 +1200)]
kdc: Add ‘e-data’ field to KDC request structure
This field can be set to override the error data that the KDC would have
returned.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 9 Nov 2023 23:20:46 +0000 (12:20 +1300)]
krb5: Try to decode e-data as KERB-ERROR-DATA (falling back to METHOD-DATA)
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 17 May 2023 03:53:36 +0000 (15:53 +1200)]
asn1: Add KERB-ERROR-DATA type
This type is used by Windows to carry custom error data, usually an
NTSTATUS code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 17 May 2023 03:51:56 +0000 (15:51 +1200)]
kdc: Do not return ETYPE-INFO if the client is locked out
This matches the behaviour of Windows.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 17 May 2023 04:07:30 +0000 (16:07 +1200)]
kdc: Ensure return value is initialized
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 13 Apr 2023 23:47:08 +0000 (11:47 +1200)]
kdc: Return NEVER_VALID error code if ticket will never be valid
This matches the error generated by Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 16 May 2023 05:10:09 +0000 (17:10 +1200)]
kdc: Always apply maximum ticket lifetime and renew time when non-NULL
This allows a lifetime of zero to work.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 16 May 2023 05:07:07 +0000 (17:07 +1200)]
hdb: Make maximum ticket lifetime and renew time signed integers
This allows for negative lifetimes to be encoded, and fits in better
with our use elsewhere of time_t, which in POSIX is a signed integer
type.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Thu, 16 Mar 2023 22:21:39 +0000 (11:21 +1300)]
krb5: Add functions to determine whether PAC is trusted
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 8 Mar 2023 19:55:02 +0000 (08:55 +1300)]
kdc: Move _krb5_pac_get_attributes_info() call to right place
Whether or not we set pac_attributes should not depend on pac_canon_name
being NULL or non-NULL.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 8 Mar 2023 02:22:29 +0000 (15:22 +1300)]
kdc-plugin: Split updating a PAC out of PAC verification
Up to now krb5plugin_kdc_pac_verify() has served both to verify and to
update a PAC. There are cases, however, when we only want to retrieve
and verify a PAC, but don't want to modify it. This is the case with the
PAC from a FAST armor ticket.
Therefore, add a new plugin function, pac_update(), that will update a
PAC obtained using pac_verify(). pac_verify() now only deals with
verifying a PAC, while pac_update() handles any necessary updates to it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 8 Mar 2023 02:37:30 +0000 (15:37 +1300)]
kdc: Call _kdc_fast_check_armor_pac() prior to calling _kdc_check_pac()
The plugin code invoked by _kdc_check_pac() may need to access
explicit_armor_client and explicit_armor_pac, but those fields are not
set until after calling _kdc_fast_check_armor_pac(). Hence we must do
that first.
We also now call _kdc_fast_check_armor_pac() regardless of whether the
ticket was issued by the KDC or whether the server principal is the
krbtgt.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 8 Mar 2023 02:24:56 +0000 (15:24 +1300)]
lib/hdb: Make hdb_enctype2key() parameter const
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 1 Nov 2022 02:20:47 +0000 (15:20 +1300)]
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 21 Nov 2022 01:01:47 +0000 (14:01 +1300)]
CVE-2022-37966 third_party/heimdal: Fix error message typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 9 Nov 2022 00:45:13 +0000 (13:45 +1300)]
CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Amended in lorikeet-heimdal to make test_pac continue to pass]
Andrew Bartlett [Tue, 1 Nov 2022 01:47:12 +0000 (14:47 +1300)]
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Tue, 4 Jan 2022 21:39:14 +0000 (10:39 +1300)]
SAMBA ONLY krb5: Don't generate PAC_ATTRIBUTES_INFO and UPN_DNS_INFO buffers
Currently we leave it up to the plugin to generate them, which allows
more control over what situations they are included in.
[abartlet@samba.org This commit makes the check-context test fail, but
is critical to how Samba operates an AD DC, because Samba wants full
control of the buffers here. A way to make this behaviour
optional would be useful in the future]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 4 Jan 2022 21:18:28 +0000 (10:18 +1300)]
SAMBA ONLY kdc: Always include PAC if it is non-NULL
Currently, we allow the plugin to specify that the PAC should be omitted
by returning NULL for the PAC.
[abartlet@samba.org This commit needs to be reworked to use a plugin hook
as it overrides the default PAC behaviour and so the check-kdc and
check-kdc-weak tests fail as they don't get the client-controlled
behaviour they expect any more]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 4 Jan 2022 21:25:31 +0000 (10:25 +1300)]
kdc: Allow requesting no PAC for AS-REQ to non-TGS server
Note that we still get a PAC even if the NO_AUTH_DATA_REQUIRED flag is
set, which matches Windows behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 4 Jan 2022 21:44:42 +0000 (10:44 +1300)]
krb5: Remove UPN_DNS_INFO_EX realm check
This check may fail if the realms do not match due to the netbios or
lowercase realm being used.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Fri, 25 Feb 2022 03:09:47 +0000 (04:09 +0100)]
kdc: don't fail salt_fastuser_crypto with r->req.req_body.cname == NULL for TGS-REQ
Joseph Sutton [Wed, 22 Jun 2022 08:01:12 +0000 (20:01 +1200)]
kdc: Add function to get current KDC time
Assists Samba to address CVE-2022-2031
This allows the plugin to check the endtime of a ticket against the
KDC's current time, to see if the ticket will expire in the next two
minutes.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Thu, 24 Feb 2022 12:27:29 +0000 (13:27 +0100)]
kdc: add kdc_log() before _kdc_fast_mk_error() also for as-req
We already have the same for the tgs-req case.
Got lost in https://github.com/heimdal/heimdal/pull/964
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 28 Feb 2022 23:00:48 +0000 (12:00 +1300)]
krb5: Check for signed overflow
This avoids a compiler error:
../../third_party/heimdal/lib/krb5/krbhst.c: In function ‘srv_find_realm.constprop’:
../../third_party/heimdal/lib/krb5/krbhst.c:113:8: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
if (num_srv == 0) {
^
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 22 Feb 2022 20:53:27 +0000 (09:53 +1300)]
kdc: Reinstate publicly accessible configuration structure members
We add some specific configuration options into
KRB5_KDC_CONFIGURATION_COMMON_ELEMENTS, as otherwise Samba no longer has
any way to access those options, other than through the configuration
file.
This is an adaptation to Heimdal:
commit
b82815733598da9ba0807ad4754572276b6ffc06
Author: Luke Howard <lukeh@padl.com>
Date: Thu Jan 20 09:15:24 2022 +1100
kdc: add accessor functions for KDC request structure
Add accessor functions for use by Samba and other plugin developers.
Documentation is in kdc/kdc-accessors.h.
Joseph Sutton [Mon, 21 Feb 2022 06:47:14 +0000 (19:47 +1300)]
kuser: Avoid conflicting macro definitions
This avoids a conflict introduced in:
commit
78b3507131482d0a5d2c0b362a0970a6d0e4025d
Author: Nicolas Williams <nico@twosigma.com>
Date: Wed Dec 15 16:17:52 2021 -0600
kinit: Use optimistic anon PKINIT armored FAST
Now that we can optimistically try FAST w/ anon PINIT armor, we should
do so in kinit whenever it makes sense.
Stefan Metzmacher [Mon, 6 Apr 2020 13:16:42 +0000 (15:16 +0200)]
krb5: Set canonicalize flag for enterprise principals
Stefan Metzmacher [Wed, 1 Apr 2020 21:09:57 +0000 (23:09 +0200)]
lib/krb5: allow access to anonymous mcache entries via name
The idea of anonymous mcache entries is that they won't be
included in the global ccache collection. But at the
same time they should be accessable via a name.
There might be better ways to do this, e.g. let the
caller specify a name like 'anonymous-application-key1'.
But we need a way to use MEMORY ccaches for different
security contexts, without the fear that they are randomly
used from the global list.
The better way would have been to opt-in in order to
fill the global ccache collection.
See
7e858c51b690ff0322766b328f60b41bc38d4ae3 for (at least part)
of the mess... there should not be a single global ccache collection
for MEMORY: ccaches! That is a security problem for applications
which used to be able to switch between different MEMORY ccaches!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 26 Sep 2017 03:34:38 +0000 (16:34 +1300)]
lib/krb5: Fix loss of information in _gsskrb5_canon_name() from call to krb5_sname_to_principal()
This would discard the realm the client specified.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 26 Sep 2017 02:11:53 +0000 (15:11 +1300)]
lib/krb5: Honour KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME in parse_name_canon_rules()
This is called from gsskrb5_set_dns_canonicalize() and krb5_set_dns_canonicalize_hostname()
and is used by Samba to ensure that the AD DC sees the name as specified by the client.
We allow the krb5.conf to override, if specifically configured.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 02:50:00 +0000 (14:50 +1200)]
kdc: Change KDC to respect HDB server name type if f.canonicalize is set
This changes behaviour flagged as being for Java 1.6. My hope is that this does not
set f.canonicalize
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 Nov 2021 06:59:44 +0000 (19:59 +1300)]
kdc: Don't conceal error code when using FAST
This matches Windows behaviour, which also places the error code in the
outer error.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Tue, 14 Dec 2021 01:19:15 +0000 (14:19 +1300)]
kdc: Send ETYPE-INFO2 instead of PW-SALT for validated timestamp
This matches Windows behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 25 Oct 2022 19:18:33 +0000 (08:18 +1300)]
Adapt apply_heimdal.sh to new Heimdal location in Samba
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 8 Nov 2017 12:18:29 +0000 (13:18 +0100)]
kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/1156
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/1156
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
kdc: decrypt b->enc_authorization_data in tgs_build_reply()
We need to do this after checking for constraint delegation (S4U2Proxy).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/1156
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
kdc: fix memory leak when decryption AuthorizationData
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/1156
Stefan Metzmacher [Fri, 4 Mar 2022 23:39:14 +0000 (00:39 +0100)]
kdc: remember kvno numbers for longterm key pre-auth
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Tue, 15 Feb 2022 17:26:55 +0000 (18:26 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY support in pa_enc_chal_validate()
If the pre-authentication fails using the keys belonging to the current
kvno, we'll retry it with 2 passwords from the password history.
If we find such passwords were used for the pre-authentication,
we change KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY into
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Tue, 15 Feb 2022 16:16:47 +0000 (17:16 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY support in pa_enc_ts_validate()
If the pre-authentication fails using the keys belonging to the current
kvno, we'll retry it with 2 passwords from the password history.
If we find such passwords were used for the pre-authentication,
we change KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY into
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Mon, 7 Feb 2022 18:48:18 +0000 (19:48 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY value
This will be used to indicate that a historic password was
able to fullfil the pre-authentication. We'll still
fail the pre-authentication but pass
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY instead of
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY. It will allow
the hdb backend to avoid to lock out the account in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Fri, 4 Mar 2022 23:24:41 +0000 (00:24 +0100)]
kdc: add success logging to pa_enc_chal_validate()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Tue, 15 Feb 2022 17:13:23 +0000 (18:13 +0100)]
kdc: split out pa_enc_chal_decrypt_kvno() from pa_enc_chal_validate()
This will simplify support for historic passwords in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Tue, 15 Feb 2022 16:15:57 +0000 (17:15 +0100)]
kdc: split out pa_enc_ts_decrypt_kvno() from pa_enc_ts_validate()
This will simplify support for historic passwords in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Joseph Sutton [Tue, 1 Mar 2022 00:56:25 +0000 (13:56 +1300)]
lorikeet-heimdal: Move Heimdal into third_party directory
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Mon, 10 Sep 2018 21:13:07 +0000 (16:13 -0500)]
lorikeet-heimdal: modernize URLs in helper scripts
We have moved some repos and have https these days
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 10 Sep 2018 21:05:40 +0000 (16:05 -0500)]
lorikeet-heimdal: import-lorikeet: Use --no-verify when importing heimdal
This allows us to import byte-for-byte files even if they have whitespace "errors".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 02:04:44 +0000 (14:04 +1200)]
lorikeet-heimdal: apply_heimdal: Try harder to apply patches from Samba
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 01:57:35 +0000 (13:57 +1200)]
lorikeet-heimdal: apply_heimdal: Only show the Heimdal part of the patch to cherry-pick
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 01:45:04 +0000 (13:45 +1200)]
lorikeet-heimdal: Include Samba commit in cherry-picked patches
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 21 Feb 2014 02:58:20 +0000 (15:58 +1300)]
lorikeet-heimdal: improve apply_heimdal.sh
Andrew Bartlett [Wed, 19 Feb 2014 09:06:57 +0000 (22:06 +1300)]
lorikeet-heimdal: specify hash to heimdal import, rather than using the date
Jelmer Vernooij [Fri, 26 Oct 2012 14:34:47 +0000 (06:34 -0800)]
lorikeet-heimdal: rebase-lorikeet: Explicitly use bash.
Standard sh doesn't have pushd/popd.
Andrew Tridgell [Wed, 1 Dec 2010 02:00:08 +0000 (13:00 +1100)]
lorikeet-heimdal: Add a new script to help merging patches from Samba4 to heimdal
Stefan Metzmacher [Thu, 14 Jul 2011 14:24:37 +0000 (16:24 +0200)]
lorikeet-heimdal: improve import-lorikeet.sh for the toplevel build
metze
Andrew Bartlett [Tue, 30 Nov 2010 23:54:49 +0000 (10:54 +1100)]
lorikeet-heimdal: Improve the heimdal import scripts
Stefan Metzmacher [Fri, 27 Mar 2009 06:31:11 +0000 (07:31 +0100)]
lorikeet-heimdal: add scipts to rebase and import the latest version into samba4
If you use this scripts, read them! :-)
metze
[abartlet@samba.org Removed lexyacc build step as this is no longer required
in Samba, which builds the files at compile time]
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:06 +0000 (11:57 +0200)]
lorikeet-heimdal: add HEIMDAL-LICENCE.txt
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:43:50 +0000 (11:43 +0200)]
lorikeet-heimdal: camellia-ntt GPLv2+ license
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:42:21 +0000 (11:42 +0200)]
lorikeet-heimdal: autogen.sh modifications
metze
Joseph Sutton [Wed, 5 Jul 2023 03:50:32 +0000 (15:50 +1200)]
krb5: Clarify documentation for ‘pkinit_revoke’ parameter
If multiple valid CRLs are specified for a particular issuer, only the
first will be checked. The documentation didn’t really hint at this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 5 Jul 2023 03:28:33 +0000 (15:28 +1200)]
krb5: Fix typos in documentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Daria Phoebe Brashear [Mon, 13 Nov 2023 19:42:33 +0000 (14:42 -0500)]
kadm5: allow setting password_lifetime to 0 to clear
when [kadmin] password_lifetime is set to 0, it should clear the time
rather than making the freshly-changed password expire immediately
git.samba.org / lorikeet-heimdal.git / log