[Heimdal-source-changes] [heimdal/heimdal] a59bb7: When building a princ name pick a sane def type

Tis Nov 15 04:44:49 CET 2016

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: a59bb7132fec98e795daeb864a7688fe8fc3c54f
      https://github.com/heimdal/heimdal/commit/a59bb7132fec98e795daeb864a7688fe8fc3c54f
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2016-11-14 (Mon, 14 Nov 2016)

  Changed paths:
    M lib/krb5/principal.c
    M lib/krb5/test_pknistkdf.c
    M tests/gss/check-context.in

  Log Message:
  -----------
  When building a princ name pick a sane def type

This is part of the fix to #173.  MSFT RODCs insist on the name type for
krbtgt principals be set to KRB5_NT_SRV_INST.

Commentary from Jeffrey Altman <jaltman at secure-endpoints.com>

As reported by David Mulder of Dell's Quest, Active Directory will
return a BAD_INTEGRITY error when a request for a krbtgt service
ticket is received with principal type NT-PRINCIPAL instead of NT-SRV-INST
as required by RFC 4120.

[Nico: RFC4120 does not require this.  See the description of the
       name-type field of PrincipalName on page 55.]

  ERROR: VAS_ERR_KRB5: Failed to obtain credentials.
  Client: SLED10-32$@F.QAS,
  Service: SLED10-32$@F.QAS, Server: ad2-f.f.qas
  Caused by: KRB5KRB_AP_ERR_BAD_INTEGRITY (-1765328353): Decrypt integrity check failed

Microsoft began enforcing principal type checking for RODCs in 2008R2.
Microsoft does state that ALL krgtgt/REALM tickets SHOULD be sent using
principal name type of KRB5_NT_SRV_INST instead of KRB5_NT_PRINCIPAL.

>From Microsoft:

  "I believe we discovered the problem. There isn't a bug in Windows.
  There's been a code change to address another issue which puts in additional
  checks for Kerberos tickets. The problem is with the Unix clients when the
  client request a TGT. The Unix clients are using Name-type Principal
  [KRB_NT_PRINCIPAL (1)] instead of using Name-type Service and Instance
  [KRB_NT_SRV_INST (2)]...."

This change assigns the NT-SRV-INST principal type each time a krbtgt
service principal is created.  Unlike Microsoft, the Heimdal mostly does
not care about the name-type of any principals, with the exception of
referrals, where the name type is needed to decide how to find a
next-hop realm.

  Commit: 020f2c733e5bd03206ab602070b1f5b1f5158024
      https://github.com/heimdal/heimdal/commit/020f2c733e5bd03206ab602070b1f5b1f5158024
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2016-11-14 (Mon, 14 Nov 2016)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  kdc: principals of type NT-UNKNOWN can be anonymous

The _kdc_is_anonymous() helper function must take into account
that principals of type NT-UNKNOWN can match any other principal
type including NT-WELLKNOWN.

Change-Id: I6085b9471f6f1d662119e359491bbdce629ef048

  Commit: 09bdb3ab3e5a75e73ae1ead71bd1fd87512ed68f
      https://github.com/heimdal/heimdal/commit/09bdb3ab3e5a75e73ae1ead71bd1fd87512ed68f
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2016-11-14 (Mon, 14 Nov 2016)

  Changed paths:
    M lib/krb5/init_creds_pw.c

  Log Message:
  -----------
  Set the right name type for anon princ (client)

In fast_wrap_req() set the correct type in KDC_REQ client principal
name.

Also fix ENOMEM handling.

  Commit: 5aef50c8008183690be4229c19f6975c2b4110df
      https://github.com/heimdal/heimdal/commit/5aef50c8008183690be4229c19f6975c2b4110df
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2016-11-14 (Mon, 14 Nov 2016)

  Changed paths:
    M lib/gssapi/krb5/init_sec_context.c

  Log Message:
  -----------
  gss-krb5: do_delegate remove dead comment

The check on principal type has been commented out since do_delegate()
was committed.  Remove it.

Change-Id: Id98f35471e346cb3d0e9666b7cdb6f564191e6c1

  Commit: 6a1db3fb1c47405f0270c492139840447b94e00a
      https://github.com/heimdal/heimdal/commit/6a1db3fb1c47405f0270c492139840447b94e00a
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2016-11-14 (Mon, 14 Nov 2016)

  Changed paths:
    M lib/gssapi/krb5/import_name.c
    M lib/krb5/get_cred.c

  Log Message:
  -----------
  princ type NT-UNKNOWN + "host" == NT-SRV-HST

Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".

Change-Id: I28fb619379daac827436040e701d4ab7b279852b

  Commit: 961f543a27ce552aab3ffe68c3dd69251d2cb576
      https://github.com/heimdal/heimdal/commit/961f543a27ce552aab3ffe68c3dd69251d2cb576
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2016-11-14 (Mon, 14 Nov 2016)

  Changed paths:
    M lib/krb5/principal.c

  Log Message:
  -----------
  Set princ type to NT-SMTP-NAME when parsing

In krb5_parse_name_flags(), if the principal name is not an enterprise
name, is one component in length and contains an '@', set the principal
type to NT-SMTP-NAME as specified by RFC 4120.

  Commit: 9e2b6961908c397f85dc776b27698bbd57fe7f87
      https://github.com/heimdal/heimdal/commit/9e2b6961908c397f85dc776b27698bbd57fe7f87
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2016-11-14 (Mon, 14 Nov 2016)

  Changed paths:
    M kdc/default_config.c
    M kdc/kdc.h
    M kdc/misc.c

  Log Message:
  -----------
  Make kdc name type strictness configurable

  Commit: 22790e450800226c6bf750e53b8de402e8868031
      https://github.com/heimdal/heimdal/commit/22790e450800226c6bf750e53b8de402e8868031
  Author: Nicolas Williams <nico at twosigma.com>
  Date:   2016-11-14 (Mon, 14 Nov 2016)

  Changed paths:
    M tests/kdc/krb5-canon.conf.in
    M tests/kdc/krb5-canon2.conf.in
    M tests/kdc/krb5-hdb-mitdb.conf.in
    M tests/kdc/krb5-pkinit.conf.in
    M tests/kdc/krb5.conf.in
    M tests/kdc/krb5.conf.keys.in

  Log Message:
  -----------
  Test RODC interop fix

Compare: https://github.com/heimdal/heimdal/compare/84e959a75237...22790e450800