Stefan Metzmacher [Fri, 1 Mar 2024 12:19:06 +0000 (13:19 +0100)]
lib/krb5: add KRB5_AUTHDATA_TARGET_PRINCIPAL for gssapi exchanges
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 1 Mar 2024 12:17:41 +0000 (13:17 +0100)]
lib/gssapi/krb5: implement GSS_C_CHANNEL_BOUND_FLAG for gss_init_sec_context()
This will force KERB_AP_OPTIONS_CBT to be sent.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 1 Mar 2024 12:36:15 +0000 (13:36 +0100)]
lib/gssapi/krb5: also verify zero channel bindings with KERB_AP_OPTIONS_CBT
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Tokarev [Tue, 27 Feb 2024 01:31:09 +0000 (14:31 +1300)]
spelling fixes (underun prefered relase encyption confunder)
[abartlet@samba.org: From Samba debian package at
https://salsa.debian.org/samba-team/samba/-/blob/master/debian/patches/heimdal-spelling.patch?ref_type=heads]
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 26 Feb 2024 22:18:06 +0000 (11:18 +1300)]
Indicate that the PKINIT Freshness extension was used
This allows Samba to put an extra SID in the PAC to indicate this.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Fri, 17 Nov 2023 04:40:33 +0000 (17:40 +1300)]
lib/krb5: Align with MIT behaviour and provide krb5_init_creds_opt_set_fast_ccache() and krb5_init_creds_opt_set_fast_flags()
It is easier for external callers to manipulate the krb5_get_init_creds_opt
(via the helpers) as this is passed down from higher up than the krb5_init_creds_context.
And just as importantly, alignment with MIT makes end-user callers happier.
Finally, this resolves the ambiguity as to which layer owns the
krb5_ccache, because now we match the MIT behaviour the init_creds code
re-opens a private copy inside libkrb5, meaning the caller closes the
cache it opened, rather than handing it over to the library.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 21 Sep 2023 23:16:31 +0000 (11:16 +1200)]
kdc: Note that the sname of a ticket may not be relied upon
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 21 Sep 2023 22:35:11 +0000 (10:35 +1200)]
krb5: Consider a single‐component krbtgt principal to be the TGS
This matches the behaviour of Windows.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 21 Sep 2023 22:54:42 +0000 (10:54 +1200)]
hdb: Avoid passing a NULL pointer to strcmp()
To do so is to invoke undefined behaviour.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 21 Sep 2023 22:36:47 +0000 (10:36 +1200)]
kdc: Make use of krb5_principalname_is_krbtgt()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 21 Sep 2023 23:35:35 +0000 (11:35 +1200)]
krb5: Make use of krb5_principalname_is_krbtgt()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 21 Sep 2023 22:32:07 +0000 (10:32 +1200)]
krb5: Add function to determine whether a principal name is a krbtgt principal
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 21 Sep 2023 23:20:49 +0000 (11:20 +1200)]
kcm: Make use of krb5_principal_is_krbtgt()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Stefan Metzmacher [Tue, 10 Oct 2023 13:23:35 +0000 (15:23 +0200)]
kdc: introduce HDB_F_USER2USER_PRINCIPAL
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.
But for User2User the account password is not used,
so it is safe to return the server entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jo Sutton [Fri, 4 Aug 2023 01:14:54 +0000 (13:14 +1200)]
hdb: Provide client entry to RBCD plugin
This helps with passing claims through to the RBCD access check.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Kacper Boström [Thu, 5 May 2022 11:03:27 +0000 (13:03 +0200)]
kdc: support pkinit_kdc_revoke for pkinit anchors
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 5 Jul 2023 02:43:20 +0000 (14:43 +1200)]
pkinit: Correctly pad Diffie-Hellman key
If the Diffie-Hellman key was ‘n’ bytes too short, we would shift it to
the right ‘n’ places, padding it out to the correct length to compute
the reply key.
Unfortunately, we forgot to increase the size of the key accordingly, so
‘n’ trailing key bytes would be discarded. This could mean failure to
decrypt a reply when interoperating with a Kerberos implementation
without this bug.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 4 Jul 2023 00:46:22 +0000 (12:46 +1200)]
kdc: Add KDC support for PKINIT Freshness extension (RFC 8070)
Clients indicating support for PKINIT Freshness (by means of an empty
PADATA_AS_FRESHNESS type) will receive in the reply a freshness token to
be included in the client’s PK-INIT request which proves the client’s
recent possession of the private key.
The require-pkinit-freshness option, if enabled, will reject PK-INIT
requests that lack this token.
Freshness tokens are only supported with the PA-PK-AS-REQ padata type.
The PA-PK-AS-REQ-Win2k type has no field to contain a freshness token.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 4 Jul 2023 00:46:19 +0000 (12:46 +1200)]
kdc: Move TGS lookup to before preauth data validation
For a PK-INIT request, we want to have the local krbtgt key available to
encrypt a new freshness token, and to decrypt a freshness token sent us
by a client.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Sun, 2 Jul 2023 22:42:43 +0000 (10:42 +1200)]
kdc: Prefer nonce in PKAuthenticator over that in request body
This matches the behaviour of the Windows KDC.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 20 Jun 2023 04:10:20 +0000 (16:10 +1200)]
kdc: Add support for resource-based constrained delegation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 20 Jun 2023 04:10:02 +0000 (16:10 +1200)]
hdb: Add hook for resource-based constrained delegation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Stefan Metzmacher [Thu, 22 Jun 2023 13:51:08 +0000 (15:51 +0200)]
kdc: add kdc_request_get_[explicit_]armor_server
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 25 May 2023 02:45:04 +0000 (14:45 +1200)]
kdc: Add KDC_AUTH_EVENT_CLIENT_FOUND authentication event
This is to ensure that we have an event to log if the request fails
early (for example, in _kdc_check_access()).
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 24 May 2023 04:02:08 +0000 (16:02 +1200)]
Revert "Verify flags after the user been required to prove its identity * with"
This reverts commit
6561b13ccb504ba545b4e58fbe4c2f5dda3589cd.
Samba uses the ‘client_access’ plugin hook to enforce device
restrictions. Windows enforces device restrictions before checking the
client’s pre-authentication (shown by authenticating with the wrong
password when device restrictions are present). Therefore we should call
_kdc_check_flags() earlier, before checking pa-data.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 03:53:56 +0000 (15:53 +1200)]
kdc-plugin: Provide plugin with delegated proxy HDB entry and PAC
These are needed to be able to enforce Microsoft’s authentication
policies properly.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 03:51:13 +0000 (15:51 +1200)]
kdc: Check server of constrained delegation evidence ticket
This is to make sure that the delegating server hasn’t just presented a
ticket to a completely different service with a forged ‘sname’.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 03:43:38 +0000 (15:43 +1200)]
kdc-plugin: Make ‘client_principal’ const
‘krb5_principal’ is a typedef, and ‘const krb5_principal’ is not const
in the way that one might think.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 03:32:00 +0000 (15:32 +1200)]
kdc: Validate armor TGT for AS-REQs
The KDC plugin requires the armor PAC in order to be able to enforce
device restrictions.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 03:16:46 +0000 (15:16 +1200)]
kdc: Don’t update the PAC if we perform Services for User
_kdc_validate_protocol_transition() generates an entirely new PAC, and
_kdc_validate_constrained_delegation() performs its own PAC update. The
call to _kdc_pac_update() immediately beforehand thus becomes
superfluous.
Furthermore, the way Windows enforces authentication policies when
Services for User are employed means that we should only call the
plugin’s PAC update function when it is actually necessary, or we may
end up failing with ERR_POLICY errors.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 03:01:48 +0000 (15:01 +1200)]
kdc: Have caller perform checking for _kdc_validate_constrained_delegation()
This means that the function now has no early success case — now it
should be called only when applicable. A successful return code now
indicates that constrained delegation took place successfully.
This is closer to how this code used to be prior to commit
0287558838de79313e38026d2f0905ffc987d0b8.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 02:56:54 +0000 (14:56 +1200)]
kdc: Have _kdc_validate_protocol_transition() take PA-DATA parameter
This means that the function now has no early success case — now it
should be called only when applicable. A successful return code now
indicates that a successful protocol transition took place.
This is closer to how this code used to be prior to commit
0287558838de79313e38026d2f0905ffc987d0b8.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 02:44:47 +0000 (14:44 +1200)]
kdc: Inline calls to Services for User functions
We shall presently need to change the logic of these function calls,
which we cannot do while they are contained in a wrapper function.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Mon, 19 Jun 2023 02:29:15 +0000 (14:29 +1200)]
kdc: Provide kdc_request_get_armor_{clientdb,client,pac}()
A plugin might need the armor PAC in order to validate that the client
is allowed to authenticate using a specific device. Currently, that
information is only made available if explicit TGS armor is used.
We now enable the plugin to access this information if any kind of FAST
armor is used. The existing kdc_request_get_explicit_armor_*() functions
are kept around for convenience.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Fri, 9 Jun 2023 02:50:17 +0000 (14:50 +1200)]
kdc: Add enable_fast_cookie option (enabled by default)
This option allows the FAST cookie and mechanisms relying upon it to be
disabled, and for a dummy FX-COOKIE string to be sent instead. This is
useful for Samba, which has no need for the cookie in order to implement
Active Directory, and in which the relevant code is completely untested.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 18 Apr 2023 02:28:01 +0000 (14:28 +1200)]
kdc: Check lifetime of correct ticket
The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 17 May 2023 04:00:15 +0000 (16:00 +1200)]
kdc: Allow e_data field of KDC request structure to override error data in reply
If the e_data field in the KDC request structure has been set, use that
in preference to creating the error data ourselves.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 1 Dec 2022 02:35:56 +0000 (15:35 +1300)]
kdc: Split out function to create error data
The creation of FAST e-data is now handled by a new function,
_kdc_fast_mk_e_data().
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 17 May 2023 03:55:55 +0000 (15:55 +1200)]
kdc: Add ‘e-data’ field to KDC request structure
This field can be set to override the error data that the KDC would have
returned.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 9 Nov 2023 23:20:46 +0000 (12:20 +1300)]
krb5: Try to decode e-data as KERB-ERROR-DATA (falling back to METHOD-DATA)
View with ‘git show -b’.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 17 May 2023 03:53:36 +0000 (15:53 +1200)]
asn1: Add KERB-ERROR-DATA type
This type is used by Windows to carry custom error data, usually an
NTSTATUS code.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 17 May 2023 03:51:56 +0000 (15:51 +1200)]
kdc: Do not return ETYPE-INFO if the client is locked out
This matches the behaviour of Windows.
View with ‘git show -b’.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 17 May 2023 04:07:30 +0000 (16:07 +1200)]
kdc: Ensure return value is initialized
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 16 May 2023 05:10:09 +0000 (17:10 +1200)]
kdc: Always apply maximum ticket lifetime and renew time when non-NULL
This allows a lifetime of zero to work.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 16 May 2023 05:07:07 +0000 (17:07 +1200)]
hdb: Make maximum ticket lifetime and renew time signed integers
This allows for negative lifetimes to be encoded, and fits in better
with our use elsewhere of time_t, which in POSIX is a signed integer
type.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 16 Mar 2023 22:21:39 +0000 (11:21 +1300)]
krb5: Add functions to determine whether PAC is trusted
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 8 Mar 2023 19:55:02 +0000 (08:55 +1300)]
kdc: Move _krb5_pac_get_attributes_info() call to right place
Whether or not we set pac_attributes should not depend on pac_canon_name
being NULL or non-NULL.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 8 Mar 2023 02:22:29 +0000 (15:22 +1300)]
kdc-plugin: Split updating a PAC out of PAC verification
Up to now krb5plugin_kdc_pac_verify() has served both to verify and to
update a PAC. There are cases, however, when we only want to retrieve
and verify a PAC, but don't want to modify it. This is the case with the
PAC from a FAST armor ticket.
Therefore, add a new plugin function, pac_update(), that will update a
PAC obtained using pac_verify(). pac_verify() now only deals with
verifying a PAC, while pac_update() handles any necessary updates to it.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 8 Mar 2023 02:37:30 +0000 (15:37 +1300)]
kdc: Call _kdc_fast_check_armor_pac() prior to calling _kdc_check_pac()
The plugin code invoked by _kdc_check_pac() may need to access
explicit_armor_client and explicit_armor_pac, but those fields are not
set until after calling _kdc_fast_check_armor_pac(). Hence we must do
that first.
We also now call _kdc_fast_check_armor_pac() regardless of whether the
ticket was issued by the KDC or whether the server principal is the
krbtgt.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 8 Mar 2023 02:24:56 +0000 (15:24 +1300)]
lib/hdb: Make hdb_enctype2key() parameter const
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 1 Nov 2022 02:20:47 +0000 (15:20 +1300)]
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Jo Sutton <josutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jo Sutton [Wed, 9 Nov 2022 00:45:13 +0000 (13:45 +1300)]
CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Amended in lorikeet-heimdal to make test_pac continue to pass]
Andrew Bartlett [Tue, 1 Nov 2022 01:47:12 +0000 (14:47 +1300)]
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jo Sutton [Tue, 4 Jan 2022 21:39:14 +0000 (10:39 +1300)]
SAMBA ONLY krb5: Don't generate PAC_ATTRIBUTES_INFO and UPN_DNS_INFO buffers
Currently we leave it up to the plugin to generate them, which allows
more control over what situations they are included in.
[abartlet@samba.org This commit makes the check-context test fail, but
is critical to how Samba operates an AD DC, because Samba wants full
control of the buffers here. A way to make this behaviour
optional would be useful in the future]
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 4 Jan 2022 21:18:28 +0000 (10:18 +1300)]
SAMBA ONLY kdc: Always include PAC if it is non-NULL
Currently, we allow the plugin to specify that the PAC should be omitted
by returning NULL for the PAC.
[abartlet@samba.org This commit needs to be reworked to use a plugin hook
as it overrides the default PAC behaviour and so the check-kdc and
check-kdc-weak tests fail as they don't get the client-controlled
behaviour they expect any more]
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 4 Jan 2022 21:25:31 +0000 (10:25 +1300)]
kdc: Allow requesting no PAC for AS-REQ to non-TGS server
Note that we still get a PAC even if the NO_AUTH_DATA_REQUIRED flag is
set, which matches Windows behaviour.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 4 Jan 2022 21:44:42 +0000 (10:44 +1300)]
krb5: Remove UPN_DNS_INFO_EX realm check
This check may fail if the realms do not match due to the netbios or
lowercase realm being used.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Wed, 22 Jun 2022 08:01:12 +0000 (20:01 +1200)]
kdc: Add function to get current KDC time
Assists Samba to address CVE-2022-2031
This allows the plugin to check the endtime of a ticket against the
KDC's current time, to see if the ticket will expire in the next two
minutes.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Stefan Metzmacher [Thu, 24 Feb 2022 12:27:29 +0000 (13:27 +0100)]
kdc: add kdc_log() before _kdc_fast_mk_error() also for as-req
We already have the same for the tgs-req case.
Got lost in https://github.com/heimdal/heimdal/pull/964
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jo Sutton [Mon, 28 Feb 2022 23:00:48 +0000 (12:00 +1300)]
krb5: Check for signed overflow
This avoids a compiler error:
../../third_party/heimdal/lib/krb5/krbhst.c: In function ‘srv_find_realm.constprop’:
../../third_party/heimdal/lib/krb5/krbhst.c:113:8: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
if (num_srv == 0) {
^
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 22 Feb 2022 20:53:27 +0000 (09:53 +1300)]
kdc: Reinstate publicly accessible configuration structure members
We add some specific configuration options into
KRB5_KDC_CONFIGURATION_COMMON_ELEMENTS, as otherwise Samba no longer has
any way to access those options, other than through the configuration
file.
This is an adaptation to Heimdal:
commit
b82815733598da9ba0807ad4754572276b6ffc06
Author: Luke Howard <lukeh@padl.com>
Date: Thu Jan 20 09:15:24 2022 +1100
kdc: add accessor functions for KDC request structure
Add accessor functions for use by Samba and other plugin developers.
Documentation is in kdc/kdc-accessors.h.
Jo Sutton [Mon, 21 Feb 2022 06:47:14 +0000 (19:47 +1300)]
kuser: Avoid conflicting macro definitions
This avoids a conflict introduced in:
commit
78b3507131482d0a5d2c0b362a0970a6d0e4025d
Author: Nicolas Williams <nico@twosigma.com>
Date: Wed Dec 15 16:17:52 2021 -0600
kinit: Use optimistic anon PKINIT armored FAST
Now that we can optimistically try FAST w/ anon PINIT armor, we should
do so in kinit whenever it makes sense.
Stefan Metzmacher [Mon, 6 Apr 2020 13:16:42 +0000 (15:16 +0200)]
krb5: Set canonicalize flag for enterprise principals
Stefan Metzmacher [Wed, 1 Apr 2020 21:09:57 +0000 (23:09 +0200)]
lib/krb5: allow access to anonymous mcache entries via name
The idea of anonymous mcache entries is that they won't be
included in the global ccache collection. But at the
same time they should be accessable via a name.
There might be better ways to do this, e.g. let the
caller specify a name like 'anonymous-application-key1'.
But we need a way to use MEMORY ccaches for different
security contexts, without the fear that they are randomly
used from the global list.
The better way would have been to opt-in in order to
fill the global ccache collection.
See
7e858c51b690ff0322766b328f60b41bc38d4ae3 for (at least part)
of the mess... there should not be a single global ccache collection
for MEMORY: ccaches! That is a security problem for applications
which used to be able to switch between different MEMORY ccaches!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 26 Sep 2017 03:34:38 +0000 (16:34 +1300)]
lib/krb5: Fix loss of information in _gsskrb5_canon_name() from call to krb5_sname_to_principal()
This would discard the realm the client specified.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 26 Sep 2017 02:11:53 +0000 (15:11 +1300)]
lib/krb5: Honour KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME in parse_name_canon_rules()
This is called from gsskrb5_set_dns_canonicalize() and krb5_set_dns_canonicalize_hostname()
and is used by Samba to ensure that the AD DC sees the name as specified by the client.
We allow the krb5.conf to override, if specifically configured.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 02:50:00 +0000 (14:50 +1200)]
kdc: Change KDC to respect HDB server name type if f.canonicalize is set
This changes behaviour flagged as being for Java 1.6. My hope is that this does not
set f.canonicalize
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Nov 2021 06:59:44 +0000 (19:59 +1300)]
kdc: Don't conceal error code when using FAST
This matches Windows behaviour, which also places the error code in the
outer error.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 14 Dec 2021 01:19:15 +0000 (14:19 +1300)]
kdc: Send ETYPE-INFO2 instead of PW-SALT for validated timestamp
This matches Windows behaviour.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 25 Oct 2022 19:18:33 +0000 (08:18 +1300)]
Adapt apply_heimdal.sh to new Heimdal location in Samba
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 8 Nov 2017 12:18:29 +0000 (13:18 +0100)]
kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/1156
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/1156
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
kdc: decrypt b->enc_authorization_data in tgs_build_reply()
We need to do this after checking for constraint delegation (S4U2Proxy).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/1156
Stefan Metzmacher [Wed, 20 Sep 2017 21:05:09 +0000 (23:05 +0200)]
kdc: fix memory leak when decryption AuthorizationData
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/1156
Stefan Metzmacher [Fri, 4 Mar 2022 23:39:14 +0000 (00:39 +0100)]
kdc: remember kvno numbers for longterm key pre-auth
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Tue, 15 Feb 2022 17:26:55 +0000 (18:26 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY support in pa_enc_chal_validate()
If the pre-authentication fails using the keys belonging to the current
kvno, we'll retry it with 2 passwords from the password history.
If we find such passwords were used for the pre-authentication,
we change KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY into
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Tue, 15 Feb 2022 16:16:47 +0000 (17:16 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY support in pa_enc_ts_validate()
If the pre-authentication fails using the keys belonging to the current
kvno, we'll retry it with 2 passwords from the password history.
If we find such passwords were used for the pre-authentication,
we change KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY into
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Mon, 7 Feb 2022 18:48:18 +0000 (19:48 +0100)]
kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY value
This will be used to indicate that a historic password was
able to fullfil the pre-authentication. We'll still
fail the pre-authentication but pass
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY instead of
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY. It will allow
the hdb backend to avoid to lock out the account in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Fri, 4 Mar 2022 23:24:41 +0000 (00:24 +0100)]
kdc: add success logging to pa_enc_chal_validate()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Tue, 15 Feb 2022 17:13:23 +0000 (18:13 +0100)]
kdc: split out pa_enc_chal_decrypt_kvno() from pa_enc_chal_validate()
This will simplify support for historic passwords in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Stefan Metzmacher [Tue, 15 Feb 2022 16:15:57 +0000 (17:15 +0100)]
kdc: split out pa_enc_ts_decrypt_kvno() from pa_enc_ts_validate()
This will simplify support for historic passwords in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
MR: https://github.com/heimdal/heimdal/pull/970
Jo Sutton [Tue, 13 Feb 2024 23:42:29 +0000 (12:42 +1300)]
krb5: Correct inverted conditions
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 1 Mar 2022 00:56:25 +0000 (13:56 +1300)]
lorikeet-heimdal: Move Heimdal into third_party directory
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Mon, 10 Sep 2018 21:13:07 +0000 (16:13 -0500)]
lorikeet-heimdal: modernize URLs in helper scripts
We have moved some repos and have https these days
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 10 Sep 2018 21:05:40 +0000 (16:05 -0500)]
lorikeet-heimdal: import-lorikeet: Use --no-verify when importing heimdal
This allows us to import byte-for-byte files even if they have whitespace "errors".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 02:04:44 +0000 (14:04 +1200)]
lorikeet-heimdal: apply_heimdal: Try harder to apply patches from Samba
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 01:57:35 +0000 (13:57 +1200)]
lorikeet-heimdal: apply_heimdal: Only show the Heimdal part of the patch to cherry-pick
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 5 Sep 2018 01:45:04 +0000 (13:45 +1200)]
lorikeet-heimdal: Include Samba commit in cherry-picked patches
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 21 Feb 2014 02:58:20 +0000 (15:58 +1300)]
lorikeet-heimdal: improve apply_heimdal.sh
Andrew Bartlett [Wed, 19 Feb 2014 09:06:57 +0000 (22:06 +1300)]
lorikeet-heimdal: specify hash to heimdal import, rather than using the date
Jelmer Vernooij [Fri, 26 Oct 2012 14:34:47 +0000 (06:34 -0800)]
lorikeet-heimdal: rebase-lorikeet: Explicitly use bash.
Standard sh doesn't have pushd/popd.
Andrew Tridgell [Wed, 1 Dec 2010 02:00:08 +0000 (13:00 +1100)]
lorikeet-heimdal: Add a new script to help merging patches from Samba4 to heimdal
Stefan Metzmacher [Thu, 14 Jul 2011 14:24:37 +0000 (16:24 +0200)]
lorikeet-heimdal: improve import-lorikeet.sh for the toplevel build
metze
Andrew Bartlett [Tue, 30 Nov 2010 23:54:49 +0000 (10:54 +1100)]
lorikeet-heimdal: Improve the heimdal import scripts
Stefan Metzmacher [Fri, 27 Mar 2009 06:31:11 +0000 (07:31 +0100)]
lorikeet-heimdal: add scipts to rebase and import the latest version into samba4
If you use this scripts, read them! :-)
metze
[abartlet@samba.org Removed lexyacc build step as this is no longer required
in Samba, which builds the files at compile time]
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:06 +0000 (11:57 +0200)]
lorikeet-heimdal: add HEIMDAL-LICENCE.txt
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:43:50 +0000 (11:43 +0200)]
lorikeet-heimdal: camellia-ntt GPLv2+ license
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:42:21 +0000 (11:42 +0200)]
lorikeet-heimdal: autogen.sh modifications
metze
Nicolas Williams [Sat, 20 Jan 2024 22:12:59 +0000 (16:12 -0600)]
tests: Use here-doc kadmin in Java test
Nicolas Williams [Wed, 17 Jan 2024 22:55:27 +0000 (16:55 -0600)]
tests: Speed up tests/gss/check-gssmask