WIP: Implement GSS_KRB5_CRED_NO_TRANSIT_CHECK_X and use it in Samba (!809) · Merge requests · The Samba Team / Samba

Stefan Metzmacher requested to merge samba-team/devel/samba:metze-krb5-no-transited into master Sep 23, 2019

From https://bugzilla.samba.org/show_bug.cgi?id=12907

Member in W4EDOM-L4.BASE user in S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE chain: W4EDOM-L4.BASE <=Forest-Trust=> W2012R2-L4.BASE <=Parent-Child-Trust=> S1-W2012-L4.W2012R2-L4.BASE <=Parent-Child-Trust=> S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE

The ticket for administrator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE arrives on the member with transited = S1-W2012-L4.W2012R2-L4.BASE, which was added by the DC of W2012R2-L4.BASE.

The function krb5_check_transited() is called via gss_accept_sec_context() and fails with KRB5KRB_AP_ERR_ILL_CR_TKT; Which causes krb5_decrypt_ticket() to fail, in the log file it seems that the provided keytab didn't have the correct key to decrypt.

For Heimdal it needs to fix the following bug in addition: https://bugzilla.samba.org/show_bug.cgi?id=14125:

As we don't know under what kvno a KDC stores our machine passwords we just use fantasy numbers when filling the in memory keytab with our (up to 4) machine passwords.

If the kvno matches by accident the number we made up, the heimdal kerberos library may not fallback and check all other keys/passwords.

WIP: Implement GSS_KRB5_CRED_NO_TRANSIT_CHECK_X and use it in Samba

Merge request reports