s4:kdc: Replace FAST cookie with dummy string

All that uses the FAST cookie is the gss-preauth authentication
mechanism, which is untested in Samba, and disabled by default.
Disabling the FAST cookie code (and sending a dummy string instead)
relieves us of the maintenance and testing burden of this untested code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224

selftest/knownfail_heimdal_kdc

@@ -17,10 +17,8 @@
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc
-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fx_cookie_fast.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fx_cookie_no_fast.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc
-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unsolicited_fx_cookie_preauth.ad_dc
 #
 # S4U tests
 #

source4/kdc/db-glue.c

@@ -3536,25 +3536,6 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	/* Setup the link to secrets.ldb */
-
-	kdc_db_ctx->secrets_db = secrets_db_connect(kdc_db_ctx,
-						    base_ctx->lp_ctx);
-	if (kdc_db_ctx->secrets_db == NULL) {
-		DEBUG(1, ("samba_kdc_setup_db_ctx: "
-			  "Cannot open secrets.ldb for KDC backend!"));
-		talloc_free(kdc_db_ctx);
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-	}
-
-	kdc_db_ctx->fx_cookie_dn = ldb_dn_new(kdc_db_ctx,
-					      kdc_db_ctx->secrets_db,
-					      "CN=FX Cookie");
-	if (kdc_db_ctx->fx_cookie_dn == NULL) {
-		talloc_free(kdc_db_ctx);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	/* Setup the link to LDB */
 	kdc_db_ctx->samdb = samdb_connect(kdc_db_ctx,
 					  base_ctx->ev_ctx,

source4/kdc/hdb-samba4.c

@@ -119,125 +119,12 @@ static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db,
 	}
 }
 
-static int hdb_samba4_fill_fast_cookie(krb5_context context,
-				       struct samba_kdc_db_context *kdc_db_ctx)
-{
-	struct ldb_message *msg = ldb_msg_new(kdc_db_ctx);
-	int ldb_ret;
-
-	uint8_t secretbuffer[32];
-	struct ldb_val val = data_blob_const(secretbuffer,
-					     sizeof(secretbuffer));
-
-	if (msg == NULL) {
-		DBG_ERR("Failed to allocate msg for new fast cookie\n");
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
-
-	/* Fill in all the keys with the same secret */
-	generate_secret_buffer(secretbuffer,
-			       sizeof(secretbuffer));
-
-	msg->dn = kdc_db_ctx->fx_cookie_dn;
-
-	ldb_ret = ldb_msg_add_value(msg, "secret", &val, NULL);
-
-	if (ldb_ret != LDB_SUCCESS) {
-		return ldb_ret;
-	}
-
-	ldb_ret = ldb_add(kdc_db_ctx->secrets_db,
-			  msg);
-	if (ldb_ret != LDB_SUCCESS) {
-		DBG_ERR("Failed to add fast cookie to ldb: %s\n",
-			ldb_errstring(kdc_db_ctx->secrets_db));
-	}
-	return ldb_ret;
-}
-
 static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
 						    struct samba_kdc_db_context *kdc_db_ctx,
 						    hdb_entry *entry)
 {
-	krb5_error_code ret = SDB_ERR_NOENTRY;
-	TALLOC_CTX *mem_ctx;
-	struct ldb_result *res;
-	int ldb_ret;
-	struct sdb_entry sentry = {};
-	const char *attrs[] = {
-		"secret",
-		NULL
-	};
-	const struct ldb_val *val;
-
-	mem_ctx = talloc_named(kdc_db_ctx, 0, "hdb_samba4_fetch_fast_cookie context");
-	if (!mem_ctx) {
-		ret = ENOMEM;
-		krb5_set_error_message(context, ret, "hdb_samba4_fetch_fast_cookie: talloc_named() failed!");
-		return ret;
-	}
-
-	/* search for CN=FX-COOKIE */
-	ldb_ret = ldb_search(kdc_db_ctx->secrets_db,
-			     mem_ctx,
-			     &res,
-			     kdc_db_ctx->fx_cookie_dn,
-			     LDB_SCOPE_BASE,
-			     attrs, NULL);
-
-	if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT || res->count == 0) {
-
-		ldb_ret = hdb_samba4_fill_fast_cookie(context,
-						      kdc_db_ctx);
-
-		if (ldb_ret != LDB_SUCCESS) {
-			TALLOC_FREE(mem_ctx);
-			return HDB_ERR_NO_WRITE_SUPPORT;
-		}
-
-		/* search for CN=FX-COOKIE */
-		ldb_ret = ldb_search(kdc_db_ctx->secrets_db,
-				     mem_ctx,
-				     &res,
-				     kdc_db_ctx->fx_cookie_dn,
-				     LDB_SCOPE_BASE,
-				     attrs, NULL);
-
-		if (ldb_ret != LDB_SUCCESS || res->count != 1) {
-			TALLOC_FREE(mem_ctx);
-			return HDB_ERR_NOENTRY;
-		}
-	}
-
-	val = ldb_msg_find_ldb_val(res->msgs[0],
-				   "secret");
-	if (val == NULL || val->length != 32) {
-		TALLOC_FREE(mem_ctx);
-		return HDB_ERR_NOENTRY;
-	}
-
-
-	ret = krb5_make_principal(context,
-				  &sentry.principal,
-				  KRB5_WELLKNOWN_ORG_H5L_REALM,
-				  KRB5_WELLKNOWN_NAME, "org.h5l.fast-cookie",
-				  NULL);
-	if (ret) {
-		TALLOC_FREE(mem_ctx);
-		return ret;
-	}
-
-	ret = samba_kdc_set_fixed_keys(context, val, ENC_ALL_TYPES,
-				       &sentry.keys);
-	if (ret != 0) {
-		return ret;
-	}
-
-	ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
-	sdb_entry_free(&sentry);
-	TALLOC_FREE(mem_ctx);
-
-	return ret;
+	DBG_ERR("Looked up HDB entry for unsupported FX-COOKIE.\n");
+	return HDB_ERR_NOENTRY;
 }
 
 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,

source4/kdc/kdc-heimdal.c

@@ -425,6 +425,35 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
 	 */
 	kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx);
 
+	{
+		static const char *dummy_string = "Microsoft";
+
+		/*
+		 * The FAST cookie is not cryptographically required,
+		 * provided that the non-AD gss-preauth authentication
+		 * method is removed (as this is the only multi-step
+		 * authentication method).
+		 *
+		 * gss-preauth has been disabled both by not being
+		 * configured and by being made dependent
+		 * configuration for a "real" fast cookie.
+		 *
+		 * The hide_client_names feature in Heimdal is the
+		 * only other state that is persisted in the cookie,
+		 * and this does not need to be in the cookie for
+		 * single-shot authentication protocols such as ENC-TS
+		 * and ENC-CHAL, the standard password protocols in
+		 * AD.
+		 *
+		 * Furthermore, the Heimdal KDC does not fail if the
+		 * client does not supply a FAST cookie, showing that
+		 * the presence of the cookie is not required.
+		 */
+		kdc_config->enable_fast_cookie = false;
+		kdc_config->dummy_fast_cookie = smb_krb5_make_data(discard_const_p(char, dummy_string),
+								   strlen(dummy_string));
+	}
+
 	/*
 	 * Match Windows and RFC6113 and Windows but break older
 	 * Heimdal clients.

source4/kdc/samba_kdc.h

@@ -52,8 +52,6 @@ struct samba_kdc_db_context {
 	unsigned int my_krbtgt_number;
 	struct ldb_dn *krbtgt_dn;
 	struct samba_kdc_policy policy;
-	struct ldb_dn *fx_cookie_dn;
-	struct ldb_context *secrets_db;
 };
 
 struct samba_kdc_entry {