s4:kdc: fix user2user tgs-requests for normal user accounts

User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.

In addition User2User also asserts that client and server
are the same account (cecked based on the sid).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/krb5_user2user b/selftest/knownfail.d/krb5_user2user
deleted file mode 100644 (file)
index 44e2f8d..0000000
--- a/selftest/knownfail.d/krb5_user2user
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_self_req

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 89de751f616d48162a6823833136b87cc3903f34..5da274c2a4af1d8ef7a19419e9db4ee0e4405c9c 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -626,6 +626,24 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
                }
        }
 
+       if (flags & SDB_F_USER2USER_PRINCIPAL) {
+               /*
+                * User2User uses the session key
+                * from the additional ticket,
+                * so we just provide random keys
+                * here in order to make sure
+                * we never expose the user password
+                * keys.
+                */
+               ret = samba_kdc_set_random_keys(context,
+                                               supported_enctypes,
+                                               &entry->keys);
+
+               *supported_enctypes_out = supported_enctypes & ENC_ALL_TYPES;
+
+               goto out;
+       }
+
        if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT)
            && (userAccountControl & UF_SMARTCARD_REQUIRED)) {
                ret = samba_kdc_set_random_keys(context,
@@ -1099,6 +1117,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
        const struct authn_kerberos_client_policy *authn_client_policy = NULL;
        const struct authn_server_policy *authn_server_policy = NULL;
        int64_t enforced_tgt_lifetime_raw;
+       const bool user2user = (flags & SDB_F_USER2USER_PRINCIPAL);
 
        *entry = (struct sdb_entry) {};
 
@@ -1185,12 +1204,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
         */
        entry->flags.force_canonicalize = true;
 
-       /* Windows 2008 seems to enforce this (very sensible) rule by
+       /*
+        * Windows 2008 seems to enforce this (very sensible) rule by
         * default - don't allow offline attacks on a user's password
         * by asking for a ticket to them as a service (encrypted with
-        * their probably pathetically insecure password) */
+        * their probably pathetically insecure password)
+        *
+        * But user2user avoids using the keys bases on the password,
+        * so we can allow it.
+        */
 
-       if (entry->flags.server
+       if (entry->flags.server && !user2user
            && lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
                if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
                        entry->flags.server = 0;

diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index e59d22434fd6fbf297652f2d0281066f307d9b84..d2fb67bd9e72cc257f47fb897f3d75d712ae8f15 100644 (file)
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -120,6 +120,7 @@ struct sdb_entry {
 #define SDB_F_FOR_AS_REQ       4096    /* fetch is for a AS REQ */
 #define SDB_F_FOR_TGS_REQ      8192    /* fetch is for a TGS REQ */
 #define SDB_F_ARMOR_PRINCIPAL 262144   /* fetch is for the client of an armor ticket */
+#define SDB_F_USER2USER_PRINCIPAL 524288/* fetch is for the server of a user2user tgs-req */
 
 #define SDB_F_HDB_MASK         (SDB_F_DECRYPT | \
                                 SDB_F_GET_CLIENT| \
@@ -130,7 +131,8 @@ struct sdb_entry {
                                 SDB_F_KVNO_SPECIFIED | \
                                 SDB_F_FOR_AS_REQ | \
                                 SDB_F_FOR_TGS_REQ | \
-                                SDB_F_ARMOR_PRINCIPAL)
+                                SDB_F_ARMOR_PRINCIPAL| \
+                                SDB_F_USER2USER_PRINCIPAL)
 
 /* This is not supported by HDB */
 #define SDB_F_FORCE_CANON      16384   /* force canonicalization */