Adapt samba to new MIT library v1.18

2020-01-21 14:56:26 +01:00 · 2020-01-21 14:56:26 +01:00 · 1af0af009b
commit 1af0af009b
parent c52963795a
2 changed files with 176 additions and 1 deletions
--- a/new_mit_118.patch
+++ b/new_mit_118.patch
@ -0,0 +1,174 @@
+From 04b262f686b5b16ba659ade1e4b5778e2b219f0a Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 16 Sep 2019 16:40:12 +0300
+Subject: [PATCH 1/2] Adapt sign_authdata in our KDB module for krb5 v1.18
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+---
+ source4/kdc/mit-kdb/kdb_samba.c          |  2 +-
+ source4/kdc/mit-kdb/kdb_samba.h          | 21 +++++++++++++++++++++
+ source4/kdc/mit-kdb/kdb_samba_policies.c | 24 ++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
+index c5157d6ed1b..02bbdca9f54 100644
+--- a/source4/kdc/mit-kdb/kdb_samba.c
+++ b/source4/kdc/mit-kdb/kdb_samba.c
+@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
+ 
+ kdb_vftabl kdb_function_table = {
+ 	.maj_ver                   = KRB5_KDB_DAL_MAJOR_VERSION,
+-	.min_ver                   = 1,
+	.min_ver                   = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
+ 
+ 	.init_library              = kdb_samba_init_library,
+ 	.fini_library              = kdb_samba_fini_library,
+diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
+index 22ef9085b6a..ad4f6e27573 100644
+--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
+@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
+ 
+ /* from kdb_samba_policies.c */
+ 
+#if KRB5_KDB_API_VERSION < 10
+ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 					    unsigned int flags,
+ 					    krb5_const_principal client_princ,
+@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 					    krb5_timestamp authtime,
+ 					    krb5_authdata **tgt_auth_data,
+ 					    krb5_authdata ***signed_auth_data);
+#else
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+					    unsigned int flags,
+					    krb5_const_principal client_princ,
+					    krb5_const_principal server_princ,
+					    krb5_db_entry *client,
+					    krb5_db_entry *server,
+					    krb5_db_entry *krbtgt,
+					    krb5_db_entry *local_krbtgt,
+					    krb5_keyblock *client_key,
+					    krb5_keyblock *server_key,
+					    krb5_keyblock *krbtgt_key,
+					    krb5_keyblock *local_krbtgt_key,
+					    krb5_keyblock *session_key,
+					    krb5_timestamp authtime,
+					    krb5_authdata **tgt_auth_data,
+					    void *authdata_info,
+					    krb5_data ***auth_indicators,
+					    krb5_authdata ***signed_auth_data);
+#endif
+ 
+ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
+ 					     krb5_kdc_req *kdcreq,
+diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
+index fc80329f221..e2f7174b0c2 100644
+--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
+@@ -287,6 +287,7 @@ done:
+ 	return code;
+ }
+ 
+#if KRB5_KDB_API_VERSION < 10
+ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 					    unsigned int flags,
+ 					    krb5_const_principal client_princ,
+@@ -301,6 +302,29 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 					    krb5_authdata **tgt_auth_data,
+ 					    krb5_authdata ***signed_auth_data)
+ {
+#else
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+					    unsigned int flags,
+					    krb5_const_principal client_princ,
+					    krb5_const_principal server_princ,
+					    krb5_db_entry *client,
+					    krb5_db_entry *server,
+					    krb5_db_entry *krbtgt,
+					    krb5_db_entry *local_krbtgt,
+					    krb5_keyblock *client_key,
+					    krb5_keyblock *server_key,
+					    krb5_keyblock *krbtgt_key,
+					    krb5_keyblock *local_krbtgt_key,
+					    krb5_keyblock *session_key,
+					    krb5_timestamp authtime,
+					    krb5_authdata **tgt_auth_data,
+					    void *authdata_info,
+					    krb5_data ***auth_indicators,
+					    krb5_authdata ***signed_auth_data)
+{
+	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
+	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
+#endif
+ 	krb5_const_principal ks_client_princ;
+ 	krb5_authdata **authdata = NULL;
+ 	krb5_boolean is_as_req;
+-- 
+2.24.1
+
+
+From c968ec07fa403ed919dcda7b3087e0d10d1e7a32 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 16 Jan 2020 22:00:21 +0100
+Subject: [PATCH 2/2] Sign and verify PAC with ticket principal instead of
+ canon principal
+
+With MIT library 1.18 the KDC no longer set
+KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
+us to not canonicalize them (like in Windwos / Heimdal).
+
+However, it now breaks the PAC signature verification as it was
+wrongly done using canonical client rather than ticket client name.
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+---
+ source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
+index e2f7174b0c2..6a5f06a8a8c 100644
+--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
+@@ -325,20 +325,12 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
+ 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
+ #endif
+-	krb5_const_principal ks_client_princ;
+ 	krb5_authdata **authdata = NULL;
+ 	krb5_boolean is_as_req;
+ 	krb5_error_code code;
+ 	krb5_pac pac = NULL;
+ 	krb5_data pac_data;
+ 
+-	/* Prefer canonicalised name from client entry */
+-	if (client != NULL) {
+-		ks_client_princ = client->princ;
+-	} else {
+-		ks_client_princ = client_princ;
+-	}
+-
+ 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+ 
+ 	if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
+@@ -351,7 +343,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 	if (!is_as_req) {
+ 		code = ks_verify_pac(context,
+ 				     flags,
+-				     ks_client_princ,
+				     client_princ,
+ 				     client,
+ 				     server,
+ 				     krbtgt,
+@@ -378,7 +370,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 		goto done;
+ 	}
+ 
+-	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
+	code = krb5_pac_sign(context, pac, authtime, client_princ,
+ 			server_key, krbtgt_key, &pac_data);
+ 	if (code != 0) {
+ 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
+-- 
+2.24.1
+
--- a/samba.spec
+++ b/samba.spec
@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering

-%define main_release 0
+%define main_release 1

 %define samba_version 4.11.5
 %define talloc_version 2.2.0
@ -125,6 +125,7 @@ Source201:      README.downgrade
 Patch100:       0000-use-gnutls-for-des-cbc.patch
 Patch101:       0001-handle-removal-des-enctypes-from-krb5.patch
 Patch102:       0002-samba-tool-create-working-private-krb5.conf.patch
+Patch103:       new_mit_118.patch

 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd