IETF Logo Mail Archive

Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

mrex@sap.com (Martin Rex) Wed, 30 August 2017 22:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1980313294B for <kitten@ietfa.amsl.com>; Wed, 30 Aug 2017 15:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F93rbrZn14vY for <kitten@ietfa.amsl.com>; Wed, 30 Aug 2017 15:37:35 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C75261200F3 for <kitten@ietf.org>; Wed, 30 Aug 2017 15:37:34 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 3xjL3w6kxvz1HBc; Thu, 31 Aug 2017 00:37:32 +0200 (CEST)
X-purgate-ID: 152705::1504132652-00000805-1EE4DD83/0/0
X-purgate-size: 2274
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3xjL3w3GgTzGnyY; Thu, 31 Aug 2017 00:37:32 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 6A91B1A6EC; Thu, 31 Aug 2017 00:37:32 +0200 (CEST)
In-Reply-To: <db882372-aa1d-e58e-4c94-a268539bd2ee@samba.org>
To: Stefan Metzmacher <metze@samba.org>
Date: Thu, 31 Aug 2017 00:37:32 +0200
CC: Simo Sorce <simo@redhat.com>, Greg Hudson <ghudson@mit.edu>, heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, Samba Technical <samba-technical@lists.samba.org>
Reply-To: mrex@sap.com
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170830223732.6A91B1A6EC@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/02No9I7ws-qjjWtJ1I4Cb9MyJW4>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2017 22:37:37 -0000

Stefan Metzmacher wrote:
> 
>>> I guess the proposed credential option is necessary, in that case.
>>>
>> 
>> I think in this case ignoring the flag should probably be conditional
>> to whether a PAC is present.
> 
> We should enforce a PAC always to be present, as we don't support
> trusted domains with LSA_TRUST_TYPE_MIT anyway.

I haven't really followed the discussion here, but Microsoft PACs are
a royal PITA, wasting huge amounts of network bandwidth, creating
bad latency on authentication, causing spurious authentication failures
during high-load situations and completely breaking certain rfc4559
HTTP Negotiate scenarios when users are assigned to lots of groups
in Microsoft AD.  Bottlenecks in LSA PAC verifications are extremely
annoying, such as using Outlook&Exchange with 50k+ Users and
at least once an hour an Outlook Password logon prompt pops up because
one of the crazy many rfc4559 Kerberos authentications failed between
Outlook and Exchange.  (Hitting cancel on the popup and toggling
offline/online in the Outlook window status bar retries Kerberos
authentication and typically succeeds...


Simply disabling PACs on the service account for service tickets
solves all of the hard and annoying problems, by enabling the bit
UF_NO_AUTH_DATA_REQUIRED (0x02000000) in the UserAccountControl
property of the service account.

Without setting this bit to omit the crazy PACs, common problems with
heavy (mindless) Group membership usage are this:

   https://blogs.technet.microsoft.com/shanecothran/2010/07/16/maxtokensize-and-kerberos-token-bloat/


Reasons why the myriads of PAC verfications occasionally fail:

   https://blogs.technet.microsoft.com/instan/2011/11/14/the-return-of-pac-mania-aka-some-reasons-why-pac-verification-can-fail/

and btw. huge kerberos tickets can also make rfc4559 fail because of
the excessive size of the HTTP header field to carry the AP_REQ with the
kerberos ticket.

Whenever authorization isn't actually managed through PACs,
i.e. pretty much 100% of the time when the backend is a database
and access through rfc4559 HTTP Negotiate, omitting PACs from Kerberos
tickets comes close to a universal panacea for a huge amount of
"occasional" failures.


-Martin

v2.23.0 | Report a Bug | By Email