Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

[Stefan Metzmacher <metze@samba.org>]

Moving this from heimdal-discuss@sics.se to heimdal-discuss@h5l.org,
sorry...

Am 18.08.2017 um 14:35 schrieb Stefan Metzmacher via samba-technical:
> Hi,
> 
> I'm currently researching on how I can implement S4U2Self in
> Samba's winbindd in order to get the PAC with the full
> Windows authorization token in a reliable way for any user
> within an active directory forest as well across transitive
> forest trusts.
> 
> The only thing that should be required is a service (computer) account
> in the primary domain/realm.
> 
> But in practice I'm facing several problems:
> 
> Heimdal (at least the copy of ~ 1.5 within Samba)
> doesn't support S4U2Self for cross-realm trusts.
> 
> MIT (tested with 1.14.3) supports S4U2Self for
> cross-realm trusts, which are in simple hierarchy.
> Otherwise it complains and returns KRB5KRB_AP_ERR_ILL_CR_TKT.
> That can be fixed if I add the correct magic to the [capaths] section
> of krb5.conf.
> 
> The problem happens when you have 2 tree root domains within an
> active directory forest together with a forest trust.
> 
> In my case I have a forest called W4EDOM-L4.BASE with a single domain
> and a forest called BLA.BASE with a 2nd domain BLA2.BASE.
> 
> So trust path between W4EDOM-L4.BASE and BLA2.BASE goes via BLA.BASE.
> 
> In an active directory environment domain members just delegate
> authentication to the domain controllers, so they trust
> their DCs to do the correct things, e.g. applying SID-Filtering
> for the PAC within the tickets.
> 
> So the service can just verify the PAC was correctly signed by
> a KDC of it's own realm and everything else shouldn't matter,
> it doesn't have to know about the full trust topology!
> 
> While thinking about this I can't see any value in checking the
> transited list of the ticket. As that list is always under the
> control of the KDC that issued the ticket. And the service
> trusts it's own KDC anyway, as well as any KDC in the trust
> chain trusts the next hop. The only reason for this list
> might be debugging.
> 
> The thing is that KDC's should apply some policies
> of which client realms can come over which direct trust.
> As KDC's have some knowledge about the trust topology.
> This is basically what the SID-Filtering in active directory
> is for, it prevents DCs from other domains/realms to impersonate
> principals of the local realm.
> 
> Is there any reason to keep the krb5_check_transited() (in Heimdal)
> and krb5_check_transited_list() (in MIT) is their current form?
> 
> If a KDC checks something it should be checking the PA-TGS-REQ,
> and verify the client realm is allowed to transit via the
> realm of the (cross-realm) tgt. But checking the transited field
> of the ticket seems pointless to me.
> 
> If there's however a good reason to keep the checks for non
> active directory realms, I'd propose to add something like
> gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X)
> to Heimdal and MIT in order to allow applications to avoid
> the pointless checks.
> 
> Comments on this would be highly appreciated!
> 
> If you're not so familiar with active directory domains,
> please have a look at:
> https://www.samba.org/~metze/presentations/2017/SambaXP/StefanMetzmacher_sambaxp2017_windows_authentication-rev1-handout.pdf
> 
> Thanks!
> metze
>