s4:kdc: fix user2user tgs-requests for normal user accounts

User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.

In addition User2User also asserts that client and server
are the same account (cecked based on the sid).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224

selftest/knownfail.d/krb5_user2user

@@ -1 +0,0 @@
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req

source4/kdc/db-glue.c

@@ -626,6 +626,24 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 		}
 	}
 
+	if (flags & SDB_F_USER2USER_PRINCIPAL) {
+		/*
+		 * User2User uses the session key
+		 * from the additional ticket,
+		 * so we just provide random keys
+		 * here in order to make sure
+		 * we never expose the user password
+		 * keys.
+		 */
+		ret = samba_kdc_set_random_keys(context,
+						supported_enctypes,
+						&entry->keys);
+
+		*supported_enctypes_out = supported_enctypes & ENC_ALL_TYPES;
+
+		goto out;
+	}
+
 	if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT)
 	    && (userAccountControl & UF_SMARTCARD_REQUIRED)) {
 		ret = samba_kdc_set_random_keys(context,
@@ -1099,6 +1117,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	const struct authn_kerberos_client_policy *authn_client_policy = NULL;
 	const struct authn_server_policy *authn_server_policy = NULL;
 	int64_t enforced_tgt_lifetime_raw;
+	const bool user2user = (flags & SDB_F_USER2USER_PRINCIPAL);
 
 	*entry = (struct sdb_entry) {};
 
@@ -1185,12 +1204,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	 */
 	entry->flags.force_canonicalize = true;
 
-	/* Windows 2008 seems to enforce this (very sensible) rule by
+	/*
+	 * Windows 2008 seems to enforce this (very sensible) rule by
 	 * default - don't allow offline attacks on a user's password
 	 * by asking for a ticket to them as a service (encrypted with
-	 * their probably pathetically insecure password) */
+	 * their probably pathetically insecure password)
+	 *
+	 * But user2user avoids using the keys bases on the password,
+	 * so we can allow it.
+	 */
 
-	if (entry->flags.server
+	if (entry->flags.server && !user2user
 	    && lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
 		if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
 			entry->flags.server = 0;

source4/kdc/sdb.h

@@ -120,6 +120,7 @@ struct sdb_entry {
 #define SDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
 #define SDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
 #define SDB_F_ARMOR_PRINCIPAL 262144	/* fetch is for the client of an armor ticket */
+#define SDB_F_USER2USER_PRINCIPAL 524288/* fetch is for the server of a user2user tgs-req */
 
 #define SDB_F_HDB_MASK		(SDB_F_DECRYPT | \
 				 SDB_F_GET_CLIENT| \
@@ -130,7 +131,8 @@ struct sdb_entry {
 				 SDB_F_KVNO_SPECIFIED | \
 				 SDB_F_FOR_AS_REQ | \
 				 SDB_F_FOR_TGS_REQ | \
-				 SDB_F_ARMOR_PRINCIPAL)
+				 SDB_F_ARMOR_PRINCIPAL| \
+				 SDB_F_USER2USER_PRINCIPAL)
 
 /* This is not supported by HDB */
 #define SDB_F_FORCE_CANON	16384	/* force canonicalization */