Skip to content

GitLab

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

The Samba Team
Samba
Merge requests
!2330

Bronze bit, S4U and RBCD support with MIT Kerberos 1.20

Review changes
Download
Patches
Plain diff

Andreas Schneider requested to merge samba-team/devel/samba:asn-bronze-bit into master Jan 13, 2022

Overview 71
Commits 16
Pipelines 43
Changes 30

Bronze bit and S4U support with MIT Kerberos 1.20

In 2020 Microsoft Security Response Team received another Kerberos-related report. Eventually, that led to a security update of the CVE-2020-17049, Kerberos KDC Security Feature Bypass Vulnerability, also known as a ‘Bronze Bit’. With this vulnerability, a compromised service that is configured to use Kerberos constrained delegation feature could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.

With the release of MIT Kerberos 1.20, Samba AD DC is able able to mitigate the ‘Bronze Bit’ attack. MIT Kerberos KDC's KDB (Kerberos Database Driver) API was changed to allow passing more details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20.

In addition to fixing the ‘Bronze Bit’ issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions.

Resource Based Constrained Delegation (RBCD) support

Samba AD DC built either with Heimdal or MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite.

To complete RBCD support and make it useful to Administrators we added the Asserted Identity [1] SID into the PAC for constrained delegation. This is available for Samba AD compiled with either Heimdal or and MIT Kerberos 1.20.

[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview

This requires the just merged bronze bit support in MIT Kerberos https://github.com/krb5/krb5/pull/1225#event-5882590954

Thanks to @iboukris, Robbie Harwood and Greg Hudson fixing the issue in MIT Kerberos!
Also thanks to @iboukris for the contributions to this patchset.

Checklist

Commits have Signed-off-by: with name/author being identical to the commit author
(optional) This MR is just one part towards a larger feature.
(optional, if backport required) Bugzilla bug filed and BUG: tag added
Test suite updated with functionality tests
Test suite updated with negative tests
Documentation updated
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

There is a test suite reasonably covering new functionality or modifications
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
This feature/change has adequate documentation added
No obvious mistakes in the code

Edited Jan 28, 2022 by Andreas Schneider

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking