1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/auth
Alexander Bokovoy f3e349bebc krb5-samba: interdomain trust uses different salt principal
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)

The salt principal for the BLA$ user object was generated wrong.

dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA

dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000

The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.

While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep  5 03:57:22 CEST 2018 on sn-devel-144
2018-09-05 03:57:22 +02:00
..
credentials krb5-samba: interdomain trust uses different salt principal 2018-09-05 03:57:22 +02:00
gensec auth:gensec: Add FALL_THROUGH statements in spnego.c 2018-03-01 04:37:43 +01:00
kerberos auth/kerberos: Fix typo in error message regarding fetching PAC using Heimdal 2018-03-19 07:33:44 +01:00
ntlmssp auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server 2018-05-16 03:26:03 +02:00
auth_log.c json: Modify API to use return codes 2018-07-25 06:29:50 +02:00
auth_sam_reply.c auth: add auth_user_info_copy() function 2018-03-15 21:54:17 +01:00
auth_sam_reply.h auth: add auth_user_info_copy() function 2018-03-15 21:54:17 +01:00
common_auth.h auth: For NTLM and KDC authentication, log the authentication duration 2018-06-25 08:32:14 +02:00
wbc_auth_util.c auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6 2016-06-30 03:30:26 +02:00
wscript_build auth_log: Use common code from audit_logging 2018-05-16 04:07:16 +02:00