1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/source3
Samuel Cabrero 89b914b3c5 s3:winbind: Use the canonical realm name to renew the credentials
Consider the following AD topology where all trusts are parent-child
trusts:

                   ADOM.AFOREST.AD
		   	|
            ACHILD.ADOM.AFOREST.AD
			|
AGRANDCHILD.ACHILD.ADOM.AFOREST.AD <-- Samba joined

When logging into the Samba machine using pam_winbind with kerberos enabled
with user ACHILD\user1, the ccache content is:

	Default principal: user1@ACHILD.ADOM.AFOREST.AD

	Valid starting       Expires              Service principal
	07/06/2022 16:09:23  07/06/2022 16:14:23  krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:09:23
-->	07/06/2022 16:09:23  07/06/2022 16:14:23  krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket
	        renew until 07/13/2022 16:09:23
	07/06/2022 16:09:23  07/06/2022 16:14:23  SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:09:23

But when logging in with user ADOM\user1, the ccache content is:

	Default principal: user1@ADOM.AFOREST.AD

	Valid starting       Expires              Service principal
	07/06/2022 16:04:37  07/06/2022 16:09:37  krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD
	        renew until 07/13/2022 16:04:37
	07/06/2022 16:04:37  07/06/2022 16:09:37  SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	        renew until 07/13/2022 16:04:37

MIT does not store the intermediate TGTs when there is more than one hop:

	ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_11105] and impersonating [(null)]

	Getting credentials user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_11105
	Starting with TGT for client realm: user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD using TGT krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD
	Sending request to ADOM.AFOREST.AD
	Received answer from stream 192.168.101.32:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD with session key rc4-hmac/D88B
-->	Received TGT for offpath realm ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket is not stored

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD
	Sending request (1748 bytes) to ACHILD.ADOM.AFOREST.AD
	Received answer (1628 bytes) from stream 192.168.101.33:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/D015
-->	Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT is not stored

	Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on
	Sending request (1721 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Received answer (1647 bytes) from stream 192.168.101.34:88
	TGS reply is for user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/345A
	Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Storing user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105

In the case of ACHILD\user1:

	ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_2000] and impersonating [(null)]

	Getting credentials user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_2000
	Starting with TGT for client realm: user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD

	Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD
	Sending request to ACHILD.ADOM.AFOREST.AD
	Received answer from stream 192.168.101.33:88
	TGS reply is for user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/0F60
-->	Storing user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000 <-- NOTE this TGT is stored
	Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD

	Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on
	Sending request (1745 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Received answer (1675 bytes) from stream 192.168.101.34:88
	TGS reply is for user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/3576
	Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
	Storing user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000

The result is that winbindd can't refresh the tickets for ADOM\user1
because the local realm is used to build the TGT service name.

	smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1@ADOM.AFOREST.AD' and service 'krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD'

	Retrieving user1@ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_11105)

The canonical realm name must be used instead:

	smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1@ADOM.AFOREST.AD' and service 'krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD'

	Retrieving user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: 0/Success
	Get cred via TGT krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD after requesting krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD (canonicalize off)
	Sending request to ADOM.AFOREST.AD
	Received answer from stream 192.168.101.32:88
	TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD with session key aes256-cts/8C7B
	Storing user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 12 12:38:55 UTC 2022 on sn-devel-184

(cherry picked from commit 116af0df4f)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jul 18 09:40:12 UTC 2022 on sn-devel-184
2022-07-18 09:40:12 +00:00
..
auth Revert "s3:smbd: Remove NIS support" 2022-06-12 09:19:16 +00:00
build
client s3/client: fix dfs deltree, resolve dfs path 2022-06-20 10:56:52 +00:00
exports
groupdb lib: relicense smb_strtoul(l) under LGPLv3 2020-08-03 22:21:02 +00:00
include lib: Remove unused asprintf_strupper_m() 2022-01-18 20:22:38 +00:00
intl
lib vfs_aixacl: add proper header file 2022-02-27 19:08:16 +00:00
libads s3:libads: Check if we have a valid sockaddr 2022-07-11 11:33:49 +00:00
libgpo/gpext
libnet s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode 2022-01-22 00:27:52 +00:00
librpc s3:rpc_server: Delete unused code and doc references 2021-12-10 14:02:30 +00:00
libsmb s3:libsmb: Fix errno for failed authentication in SMBC_server_internal() 2022-03-17 09:14:56 +00:00
locale pam_winbind/ro.po: fix error from previous patch merge 2020-10-29 20:49:16 +00:00
locking s3: smbd: Move implicit call to lp_posix_cifsu_locktype() out of init_strict_lock_struct(). 2022-01-06 15:11:38 +00:00
modules nfs4_acls: Correctly skip chown when gid did not change 2022-07-18 08:47:13 +00:00
nmbd source3: move lib/substitute.c functions out of proto.h 2021-11-11 13:49:32 +00:00
param docs-xml: add 'kdc enable fast' option 2022-03-14 14:27:13 +00:00
passdb s3:passdb: Also allow to handle UPNs in lookup_name_smbconf() 2022-04-28 09:03:34 +00:00
printing s3:printing: Do not clear the printer-list.tdb 2022-07-11 10:27:17 +00:00
profile profile3: remove an unused include 2022-01-18 20:22:38 +00:00
registry CVE-2020-25717: Add FreeIPA domain controller role 2021-11-09 19:45:33 +00:00
rpc_client s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation = lp_netbios_name() 2022-03-16 13:41:14 +00:00
rpc_server rpc_server3: Initialize mangle_fns in classic and spoolss 2022-07-18 08:47:13 +00:00
rpcclient rpcclient: Fix ncacn_ip_tcp:<ip-address> 2022-01-10 11:47:34 +00:00
script s3: tests: Add test that shows smbd crashes using vfs_fruit with fruit:resource = stream on deleting a file. 2022-06-23 07:35:08 +00:00
selftest s3: tests: Add test that shows smbd crashes using vfs_fruit with fruit:resource = stream on deleting a file. 2022-06-23 07:35:08 +00:00
services s3:services: Disable rcinit-based service control code 2021-12-10 14:02:30 +00:00
smbd smbd: Make non_widelink_open() robust for non-cwd dirfsp 2022-07-11 10:27:17 +00:00
torture s3: cmd_vfs: cmd_set_nt_acl(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags. 2022-04-11 07:49:13 +00:00
utils s3:utils: Fix missing space in testparm output 2022-06-18 09:55:28 +00:00
web
winbindd s3:winbind: Use the canonical realm name to renew the credentials 2022-07-18 09:40:12 +00:00
.clang_complete
.dmallocrc
.indent.pro
Doxyfile
mainpage.dox
smbadduser.in
wscript Revert "s3:smbd: Remove NIS support" 2022-06-12 09:19:16 +00:00
wscript_build s3:waf: Fix version number of public libsmbconf 2022-06-27 08:25:10 +00:00
wscript_configure_system_ncurses