1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3:winbind: Use the canonical realm name to renew the credentials

Consider the following AD topology where all trusts are parent-child
trusts:

                   ADOM.AFOREST.AD
		   	|
            ACHILD.ADOM.AFOREST.AD
			|
AGRANDCHILD.ACHILD.ADOM.AFOREST.AD <-- Samba joined

When logging into the Samba machine using pam_winbind with kerberos enabled
with user ACHILD\user1, the ccache content is:

	Default principal: user1@ACHILD.ADOM.AFOREST.AD

	Valid starting       Expires              Service principal
	07/06/2022 16:09:23  07/06/2022 16:14:23  krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:09:23
-->	07/06/2022 16:09:23  07/06/2022 16:14:23  krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket
	        renew until 07/13/2022 16:09:23
	07/06/2022 16:09:23  07/06/2022 16:14:23  SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:09:23

But when logging in with user ADOM\user1, the ccache content is:

	Default principal: user1@ADOM.AFOREST.AD

	Valid starting       Expires              Service principal
	07/06/2022 16:04:37  07/06/2022 16:09:37  krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD
	        renew until 07/13/2022 16:04:37
	07/06/2022 16:04:37  07/06/2022 16:09:37  SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:04:37

MIT does not store the intermediate TGTs when there is more than one hop:

	ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_11105] and impersonating [(null)]

	Getting credentials user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_11105
	Starting with TGT for client realm: user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD using TGT krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD
	Sending request to ADOM.AFOREST.AD
	Received answer from stream 192.168.101.32:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD with session key rc4-hmac/D88B
-->	Received TGT for offpath realm ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket is not stored

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD
	Sending request (1748 bytes) to ACHILD.ADOM.AFOREST.AD
	Received answer (1628 bytes) from stream 192.168.101.33:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/D015
-->	Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT is not stored

	Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on
	Sending request (1721 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Received answer (1647 bytes) from stream 192.168.101.34:88
	TGS reply is for user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/345A
	Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Storing user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105

In the case of ACHILD\user1:

	ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_2000] and impersonating [(null)]

	Getting credentials user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_2000
	Starting with TGT for client realm: user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD
	Sending request to ACHILD.ADOM.AFOREST.AD
	Received answer from stream 192.168.101.33:88
	TGS reply is for user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/0F60
-->	Storing user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000 <-- NOTE this TGT is stored
	Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD

	Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on
	Sending request (1745 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Received answer (1675 bytes) from stream 192.168.101.34:88
	TGS reply is for user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/3576
	Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Storing user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000

The result is that winbindd can't refresh the tickets for ADOM\user1
because the local realm is used to build the TGT service name.

	smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1@ADOM.AFOREST.AD' and service 'krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD'

	Retrieving user1@ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_11105)

The canonical realm name must be used instead:

	smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1@ADOM.AFOREST.AD' and service 'krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD'

	Retrieving user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: 0/Success
	Get cred via TGT krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD after requesting krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD (canonicalize off)
	Sending request to ADOM.AFOREST.AD
	Received answer from stream 192.168.101.32:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD with session key aes256-cts/8C7B
	Storing user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 12 12:38:55 UTC 2022 on sn-devel-184
This commit is contained in:
Samuel Cabrero 2022-07-07 11:32:39 +02:00 committed by Andreas Schneider
parent 8bef8e3de9
commit 116af0df4f

View File

@ -638,8 +638,8 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
entry->service = talloc_asprintf(entry,
"%s/%s@%s",
KRB5_TGS_NAME,
realm,
realm);
canon_realm,
canon_realm);
if (entry->service == NULL) {
goto no_mem;
}