| |
@@ -0,0 +1,174 @@
|
| |
+ From 04b262f686b5b16ba659ade1e4b5778e2b219f0a Mon Sep 17 00:00:00 2001
|
| |
+ From: Isaac Boukris <iboukris@gmail.com>
|
| |
+ Date: Mon, 16 Sep 2019 16:40:12 +0300
|
| |
+ Subject: [PATCH 1/2] Adapt sign_authdata in our KDB module for krb5 v1.18
|
| |
+
|
| |
+ Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
| |
+ ---
|
| |
+ source4/kdc/mit-kdb/kdb_samba.c | 2 +-
|
| |
+ source4/kdc/mit-kdb/kdb_samba.h | 21 +++++++++++++++++++++
|
| |
+ source4/kdc/mit-kdb/kdb_samba_policies.c | 24 ++++++++++++++++++++++++
|
| |
+ 3 files changed, 46 insertions(+), 1 deletion(-)
|
| |
+
|
| |
+ diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
|
| |
+ index c5157d6ed1b..02bbdca9f54 100644
|
| |
+ --- a/source4/kdc/mit-kdb/kdb_samba.c
|
| |
+ +++ b/source4/kdc/mit-kdb/kdb_samba.c
|
| |
+ @@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
|
| |
+
|
| |
+ kdb_vftabl kdb_function_table = {
|
| |
+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
|
| |
+ - .min_ver = 1,
|
| |
+ + .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
|
| |
+
|
| |
+ .init_library = kdb_samba_init_library,
|
| |
+ .fini_library = kdb_samba_fini_library,
|
| |
+ diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
|
| |
+ index 22ef9085b6a..ad4f6e27573 100644
|
| |
+ --- a/source4/kdc/mit-kdb/kdb_samba.h
|
| |
+ +++ b/source4/kdc/mit-kdb/kdb_samba.h
|
| |
+ @@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
|
| |
+
|
| |
+ /* from kdb_samba_policies.c */
|
| |
+
|
| |
+ +#if KRB5_KDB_API_VERSION < 10
|
| |
+ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ unsigned int flags,
|
| |
+ krb5_const_principal client_princ,
|
| |
+ @@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ krb5_timestamp authtime,
|
| |
+ krb5_authdata **tgt_auth_data,
|
| |
+ krb5_authdata ***signed_auth_data);
|
| |
+ +#else
|
| |
+ +krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ + unsigned int flags,
|
| |
+ + krb5_const_principal client_princ,
|
| |
+ + krb5_const_principal server_princ,
|
| |
+ + krb5_db_entry *client,
|
| |
+ + krb5_db_entry *server,
|
| |
+ + krb5_db_entry *krbtgt,
|
| |
+ + krb5_db_entry *local_krbtgt,
|
| |
+ + krb5_keyblock *client_key,
|
| |
+ + krb5_keyblock *server_key,
|
| |
+ + krb5_keyblock *krbtgt_key,
|
| |
+ + krb5_keyblock *local_krbtgt_key,
|
| |
+ + krb5_keyblock *session_key,
|
| |
+ + krb5_timestamp authtime,
|
| |
+ + krb5_authdata **tgt_auth_data,
|
| |
+ + void *authdata_info,
|
| |
+ + krb5_data ***auth_indicators,
|
| |
+ + krb5_authdata ***signed_auth_data);
|
| |
+ +#endif
|
| |
+
|
| |
+ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
|
| |
+ krb5_kdc_req *kdcreq,
|
| |
+ diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
| |
+ index fc80329f221..e2f7174b0c2 100644
|
| |
+ --- a/source4/kdc/mit-kdb/kdb_samba_policies.c
|
| |
+ +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
| |
+ @@ -287,6 +287,7 @@ done:
|
| |
+ return code;
|
| |
+ }
|
| |
+
|
| |
+ +#if KRB5_KDB_API_VERSION < 10
|
| |
+ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ unsigned int flags,
|
| |
+ krb5_const_principal client_princ,
|
| |
+ @@ -301,6 +302,29 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ krb5_authdata **tgt_auth_data,
|
| |
+ krb5_authdata ***signed_auth_data)
|
| |
+ {
|
| |
+ +#else
|
| |
+ +krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ + unsigned int flags,
|
| |
+ + krb5_const_principal client_princ,
|
| |
+ + krb5_const_principal server_princ,
|
| |
+ + krb5_db_entry *client,
|
| |
+ + krb5_db_entry *server,
|
| |
+ + krb5_db_entry *krbtgt,
|
| |
+ + krb5_db_entry *local_krbtgt,
|
| |
+ + krb5_keyblock *client_key,
|
| |
+ + krb5_keyblock *server_key,
|
| |
+ + krb5_keyblock *krbtgt_key,
|
| |
+ + krb5_keyblock *local_krbtgt_key,
|
| |
+ + krb5_keyblock *session_key,
|
| |
+ + krb5_timestamp authtime,
|
| |
+ + krb5_authdata **tgt_auth_data,
|
| |
+ + void *authdata_info,
|
| |
+ + krb5_data ***auth_indicators,
|
| |
+ + krb5_authdata ***signed_auth_data)
|
| |
+ +{
|
| |
+ + krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
|
| |
+ + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
|
| |
+ +#endif
|
| |
+ krb5_const_principal ks_client_princ;
|
| |
+ krb5_authdata **authdata = NULL;
|
| |
+ krb5_boolean is_as_req;
|
| |
+ --
|
| |
+ 2.24.1
|
| |
+
|
| |
+
|
| |
+ From c968ec07fa403ed919dcda7b3087e0d10d1e7a32 Mon Sep 17 00:00:00 2001
|
| |
+ From: Isaac Boukris <iboukris@gmail.com>
|
| |
+ Date: Thu, 16 Jan 2020 22:00:21 +0100
|
| |
+ Subject: [PATCH 2/2] Sign and verify PAC with ticket principal instead of
|
| |
+ canon principal
|
| |
+
|
| |
+ With MIT library 1.18 the KDC no longer set
|
| |
+ KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
|
| |
+ us to not canonicalize them (like in Windwos / Heimdal).
|
| |
+
|
| |
+ However, it now breaks the PAC signature verification as it was
|
| |
+ wrongly done using canonical client rather than ticket client name.
|
| |
+
|
| |
+ Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
| |
+ ---
|
| |
+ source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++----------
|
| |
+ 1 file changed, 2 insertions(+), 10 deletions(-)
|
| |
+
|
| |
+ diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
| |
+ index e2f7174b0c2..6a5f06a8a8c 100644
|
| |
+ --- a/source4/kdc/mit-kdb/kdb_samba_policies.c
|
| |
+ +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
| |
+ @@ -325,20 +325,12 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
|
| |
+ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
|
| |
+ #endif
|
| |
+ - krb5_const_principal ks_client_princ;
|
| |
+ krb5_authdata **authdata = NULL;
|
| |
+ krb5_boolean is_as_req;
|
| |
+ krb5_error_code code;
|
| |
+ krb5_pac pac = NULL;
|
| |
+ krb5_data pac_data;
|
| |
+
|
| |
+ - /* Prefer canonicalised name from client entry */
|
| |
+ - if (client != NULL) {
|
| |
+ - ks_client_princ = client->princ;
|
| |
+ - } else {
|
| |
+ - ks_client_princ = client_princ;
|
| |
+ - }
|
| |
+ -
|
| |
+ is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
| |
+
|
| |
+ if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
|
| |
+ @@ -351,7 +343,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ if (!is_as_req) {
|
| |
+ code = ks_verify_pac(context,
|
| |
+ flags,
|
| |
+ - ks_client_princ,
|
| |
+ + client_princ,
|
| |
+ client,
|
| |
+ server,
|
| |
+ krbtgt,
|
| |
+ @@ -378,7 +370,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
| |
+ goto done;
|
| |
+ }
|
| |
+
|
| |
+ - code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
|
| |
+ + code = krb5_pac_sign(context, pac, authtime, client_princ,
|
| |
+ server_key, krbtgt_key, &pac_data);
|
| |
+ if (code != 0) {
|
| |
+ DBG_ERR("krb5_pac_sign failed: %d\n", code);
|
| |
+ --
|
| |
+ 2.24.1
|
| |
+
|
| |