[Heimdal-source-changes] [heimdal/heimdal] a59bb7: When building a princ name pick a sane def type
GitHub
noreply at github.com
Tis Nov 15 04:44:49 CET 2016
Branch: refs/heads/master
Home: https://github.com/heimdal/heimdal
Commit: a59bb7132fec98e795daeb864a7688fe8fc3c54f
https://github.com/heimdal/heimdal/commit/a59bb7132fec98e795daeb864a7688fe8fc3c54f
Author: Nicolas Williams <nico at twosigma.com>
Date: 2016-11-14 (Mon, 14 Nov 2016)
Changed paths:
M lib/krb5/principal.c
M lib/krb5/test_pknistkdf.c
M tests/gss/check-context.in
Log Message:
-----------
When building a princ name pick a sane def type
This is part of the fix to #173. MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.
Commentary from Jeffrey Altman <jaltman at secure-endpoints.com>
As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.
[Nico: RFC4120 does not require this. See the description of the
name-type field of PrincipalName on page 55.]
ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
Client: SLED10-32$@F.QAS,
Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed
Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.
>From Microsoft:
"I believe we discovered the problem. There isn't a bug in Windows.
There's been a code change to address another issue which puts in additional
checks for Kerberos tickets. The problem is with the Unix clients when the
client request a TGT. The Unix clients are using Name-type Principal
[KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
[KRB_NT_SRV_INST (2)]...."
This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created. Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.
Commit: 020f2c733e5bd03206ab602070b1f5b1f5158024
https://github.com/heimdal/heimdal/commit/020f2c733e5bd03206ab602070b1f5b1f5158024
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: 2016-11-14 (Mon, 14 Nov 2016)
Changed paths:
M kdc/kerberos5.c
Log Message:
-----------
kdc: principals of type NT-UNKNOWN can be anonymous
The _kdc_is_anonymous() helper function must take into account
that principals of type NT-UNKNOWN can match any other principal
type including NT-WELLKNOWN.
Change-Id: I6085b9471f6f1d662119e359491bbdce629ef048
Commit: 09bdb3ab3e5a75e73ae1ead71bd1fd87512ed68f
https://github.com/heimdal/heimdal/commit/09bdb3ab3e5a75e73ae1ead71bd1fd87512ed68f
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: 2016-11-14 (Mon, 14 Nov 2016)
Changed paths:
M lib/krb5/init_creds_pw.c
Log Message:
-----------
Set the right name type for anon princ (client)
In fast_wrap_req() set the correct type in KDC_REQ client principal
name.
Also fix ENOMEM handling.
Commit: 5aef50c8008183690be4229c19f6975c2b4110df
https://github.com/heimdal/heimdal/commit/5aef50c8008183690be4229c19f6975c2b4110df
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: 2016-11-14 (Mon, 14 Nov 2016)
Changed paths:
M lib/gssapi/krb5/init_sec_context.c
Log Message:
-----------
gss-krb5: do_delegate remove dead comment
The check on principal type has been commented out since do_delegate()
was committed. Remove it.
Change-Id: Id98f35471e346cb3d0e9666b7cdb6f564191e6c1
Commit: 6a1db3fb1c47405f0270c492139840447b94e00a
https://github.com/heimdal/heimdal/commit/6a1db3fb1c47405f0270c492139840447b94e00a
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: 2016-11-14 (Mon, 14 Nov 2016)
Changed paths:
M lib/gssapi/krb5/import_name.c
M lib/krb5/get_cred.c
Log Message:
-----------
princ type NT-UNKNOWN + "host" == NT-SRV-HST
Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".
Change-Id: I28fb619379daac827436040e701d4ab7b279852b
Commit: 961f543a27ce552aab3ffe68c3dd69251d2cb576
https://github.com/heimdal/heimdal/commit/961f543a27ce552aab3ffe68c3dd69251d2cb576
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: 2016-11-14 (Mon, 14 Nov 2016)
Changed paths:
M lib/krb5/principal.c
Log Message:
-----------
Set princ type to NT-SMTP-NAME when parsing
In krb5_parse_name_flags(), if the principal name is not an enterprise
name, is one component in length and contains an '@', set the principal
type to NT-SMTP-NAME as specified by RFC 4120.
Commit: 9e2b6961908c397f85dc776b27698bbd57fe7f87
https://github.com/heimdal/heimdal/commit/9e2b6961908c397f85dc776b27698bbd57fe7f87
Author: Nicolas Williams <nico at twosigma.com>
Date: 2016-11-14 (Mon, 14 Nov 2016)
Changed paths:
M kdc/default_config.c
M kdc/kdc.h
M kdc/misc.c
Log Message:
-----------
Make kdc name type strictness configurable
Commit: 22790e450800226c6bf750e53b8de402e8868031
https://github.com/heimdal/heimdal/commit/22790e450800226c6bf750e53b8de402e8868031
Author: Nicolas Williams <nico at twosigma.com>
Date: 2016-11-14 (Mon, 14 Nov 2016)
Changed paths:
M tests/kdc/krb5-canon.conf.in
M tests/kdc/krb5-canon2.conf.in
M tests/kdc/krb5-hdb-mitdb.conf.in
M tests/kdc/krb5-pkinit.conf.in
M tests/kdc/krb5.conf.in
M tests/kdc/krb5.conf.keys.in
Log Message:
-----------
Test RODC interop fix
Compare: https://github.com/heimdal/heimdal/compare/84e959a75237...22790e450800
More information about the Heimdal-source-changes
mailing list