[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
Stefan Metzmacher <metze@samba.org> Fri, 18 August 2017 12:36 UTC
Return-Path: <metze@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902E8124E15 for <kitten@ietfa.amsl.com>; Fri, 18 Aug 2017 05:36:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=samba.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvE6U4br1Z1n for <kitten@ietfa.amsl.com>; Fri, 18 Aug 2017 05:36:01 -0700 (PDT)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::147:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3941126B7E for <kitten@ietf.org>; Fri, 18 Aug 2017 05:36:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Date:Message-ID:From:To:CC; bh=3C2Gy1JZy72k0SVabfjvk9+4rcVHPSiifL/VyHNq+t8=; b=JPYMHJ6t2EFl6DMQxUcvQVimzO CwlSG4zfc2diPNFOkmjsgsFwqGzhNZSHA67fK8lk6f6vcDS0THi/UXItifnZlQJoUKalFhuTDtoML bgabI6un7KbtM5wCPFxDMMf20BTYBvz4hOyIUnXCnHhJB8y6au6Ar045XP1saKl83bNQ=;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1digVJ-0004JQ-0Q; Fri, 18 Aug 2017 12:35:57 +0000
To: "heimdal-discuss@sics.se" <heimdal-discuss@sics.se>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, Samba Technical <samba-technical@lists.samba.org>
From: Stefan Metzmacher <metze@samba.org>
Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4
Message-ID: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
Date: Fri, 18 Aug 2017 14:35:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="03BqOnf8cxPdiniASotk7IcXE6xi411Ft"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/KpPapY7_Ygj0RtJQe6CvOhdPphU>
Subject: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 12:36:04 -0000
Hi, I'm currently researching on how I can implement S4U2Self in Samba's winbindd in order to get the PAC with the full Windows authorization token in a reliable way for any user within an active directory forest as well across transitive forest trusts. The only thing that should be required is a service (computer) account in the primary domain/realm. But in practice I'm facing several problems: Heimdal (at least the copy of ~ 1.5 within Samba) doesn't support S4U2Self for cross-realm trusts. MIT (tested with 1.14.3) supports S4U2Self for cross-realm trusts, which are in simple hierarchy. Otherwise it complains and returns KRB5KRB_AP_ERR_ILL_CR_TKT. That can be fixed if I add the correct magic to the [capaths] section of krb5.conf. The problem happens when you have 2 tree root domains within an active directory forest together with a forest trust. In my case I have a forest called W4EDOM-L4.BASE with a single domain and a forest called BLA.BASE with a 2nd domain BLA2.BASE. So trust path between W4EDOM-L4.BASE and BLA2.BASE goes via BLA.BASE. In an active directory environment domain members just delegate authentication to the domain controllers, so they trust their DCs to do the correct things, e.g. applying SID-Filtering for the PAC within the tickets. So the service can just verify the PAC was correctly signed by a KDC of it's own realm and everything else shouldn't matter, it doesn't have to know about the full trust topology! While thinking about this I can't see any value in checking the transited list of the ticket. As that list is always under the control of the KDC that issued the ticket. And the service trusts it's own KDC anyway, as well as any KDC in the trust chain trusts the next hop. The only reason for this list might be debugging. The thing is that KDC's should apply some policies of which client realms can come over which direct trust. As KDC's have some knowledge about the trust topology. This is basically what the SID-Filtering in active directory is for, it prevents DCs from other domains/realms to impersonate principals of the local realm. Is there any reason to keep the krb5_check_transited() (in Heimdal) and krb5_check_transited_list() (in MIT) is their current form? If a KDC checks something it should be checking the PA-TGS-REQ, and verify the client realm is allowed to transit via the realm of the (cross-realm) tgt. But checking the transited field of the ticket seems pointless to me. If there's however a good reason to keep the checks for non active directory realms, I'd propose to add something like gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to Heimdal and MIT in order to allow applications to avoid the pointless checks. Comments on this would be highly appreciated! If you're not so familiar with active directory domains, please have a look at: https://www.samba.org/~metze/presentations/2017/SambaXP/StefanMetzmacher_sambaxp2017_windows_authentication-rev1-handout.pdf Thanks! metze
- [kitten] Checking the transited list of a kerbero… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- [kitten] Tangent from: Checking the transited lis… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Viktor Dukhovni
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Martin Rex
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Nico Williams
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Nico Williams
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Isaac Boukris
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher