Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
Stefan Metzmacher <metze@samba.org> Fri, 18 August 2017 13:22 UTC
Return-Path: <metze@samba.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55F8F1323AC for <kitten@ietfa.amsl.com>; Fri, 18 Aug 2017 06:22:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=samba.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDg_93HBUT2r for <kitten@ietfa.amsl.com>; Fri, 18 Aug 2017 06:22:26 -0700 (PDT)
Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::147:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9879013235B for <kitten@ietf.org>; Fri, 18 Aug 2017 06:22:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42627210; h=Date:Message-ID:From:To:CC; bh=14dAxMkz1ul2BMV3x2sYwi9+mZqt8QR8cUg0czqSJDc=; b=KAeBjnmsfgPaXONB/S7tuzGql7 e4wnKtnZFClXvtFzfHTjsQ/717BImQnAz822FEt6ubE3edaFKd72tl+6aaghV1wdskcv8hUJTw5ML 0CS6VbjFICWs6BUHu3cZA81UmWIt9E2vj9o2hi7enCskHB3wht7tr71j7oWt5xzUehaE=;
Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim) id 1dihDz-00059Q-Ve; Fri, 18 Aug 2017 13:22:08 +0000
To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, Samba Technical <samba-technical@lists.samba.org>, "heimdal-discuss@h5l.org" <heimdal-discuss@h5l.org>
References: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
From: Stefan Metzmacher <metze@samba.org>
Openpgp: id=A3D192CE44EF412517BCED646A739B025C6B98D4
Message-ID: <fe30e2fa-089e-9142-e868-49f6f17cd1c3@samba.org>
Date: Fri, 18 Aug 2017 15:22:04 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="sfsExHewPgHVbfrmJ3wSHl2nrJLmD3tHI"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/PMYN8_vrZTNPJ27g-QqPTXrJ7xI>
Subject: Re: [kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 13:22:29 -0000
Moving this from heimdal-discuss@sics.se to heimdal-discuss@h5l.org, sorry... Am 18.08.2017 um 14:35 schrieb Stefan Metzmacher via samba-technical: > Hi, > > I'm currently researching on how I can implement S4U2Self in > Samba's winbindd in order to get the PAC with the full > Windows authorization token in a reliable way for any user > within an active directory forest as well across transitive > forest trusts. > > The only thing that should be required is a service (computer) account > in the primary domain/realm. > > But in practice I'm facing several problems: > > Heimdal (at least the copy of ~ 1.5 within Samba) > doesn't support S4U2Self for cross-realm trusts. > > MIT (tested with 1.14.3) supports S4U2Self for > cross-realm trusts, which are in simple hierarchy. > Otherwise it complains and returns KRB5KRB_AP_ERR_ILL_CR_TKT. > That can be fixed if I add the correct magic to the [capaths] section > of krb5.conf. > > The problem happens when you have 2 tree root domains within an > active directory forest together with a forest trust. > > In my case I have a forest called W4EDOM-L4.BASE with a single domain > and a forest called BLA.BASE with a 2nd domain BLA2.BASE. > > So trust path between W4EDOM-L4.BASE and BLA2.BASE goes via BLA.BASE. > > In an active directory environment domain members just delegate > authentication to the domain controllers, so they trust > their DCs to do the correct things, e.g. applying SID-Filtering > for the PAC within the tickets. > > So the service can just verify the PAC was correctly signed by > a KDC of it's own realm and everything else shouldn't matter, > it doesn't have to know about the full trust topology! > > While thinking about this I can't see any value in checking the > transited list of the ticket. As that list is always under the > control of the KDC that issued the ticket. And the service > trusts it's own KDC anyway, as well as any KDC in the trust > chain trusts the next hop. The only reason for this list > might be debugging. > > The thing is that KDC's should apply some policies > of which client realms can come over which direct trust. > As KDC's have some knowledge about the trust topology. > This is basically what the SID-Filtering in active directory > is for, it prevents DCs from other domains/realms to impersonate > principals of the local realm. > > Is there any reason to keep the krb5_check_transited() (in Heimdal) > and krb5_check_transited_list() (in MIT) is their current form? > > If a KDC checks something it should be checking the PA-TGS-REQ, > and verify the client realm is allowed to transit via the > realm of the (cross-realm) tgt. But checking the transited field > of the ticket seems pointless to me. > > If there's however a good reason to keep the checks for non > active directory realms, I'd propose to add something like > gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) > to Heimdal and MIT in order to allow applications to avoid > the pointless checks. > > Comments on this would be highly appreciated! > > If you're not so familiar with active directory domains, > please have a look at: > https://www.samba.org/~metze/presentations/2017/SambaXP/StefanMetzmacher_sambaxp2017_windows_authentication-rev1-handout.pdf > > Thanks! > metze >
- [kitten] Checking the transited list of a kerbero… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- [kitten] Tangent from: Checking the transited lis… Henry B (Hank) Hotz, CISSP
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Viktor Dukhovni
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Simo Sorce
- Re: [kitten] Checking the transited list of a ker… Martin Rex
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Nico Williams
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Nico Williams
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Isaac Boukris
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Greg Hudson
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher
- Re: [kitten] Checking the transited list of a ker… Stefan Metzmacher