Active Directory cross-realm support in 1.6 branch

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Active Directory cross-realm support in 1.6 branch

Patrik Lundin-2
Hello,

Running a Heimdal KDC on Ubuntu with the normal packages (~1.6) I have a
working cross realm trust from the Heimdal realm to an Active Directory
realm.

I recently tried setting up a cross-realm trust in the other direction,
from AD to Heimdal. This does not work.

The following steps are followed:
#1. Run kinit against the AD realm:
===
$ kinit [hidden email]
$ klist
Credentials cache: FILE:/tmp/krb5cc_GFMQAj
        Principal: [hidden email]

  Issued                Expires               Principal
May 19 18:06:31 2016  May 20 04:06:10 2016  krbtgt/[hidden email]
===

#2. Run kgetcred to fetch a service ticket in the Heimdal realm.
===
$ kgetcred host/[hidden email]
kgetcred: krb5_get_creds: Matching credential (host/[hidden email]) not found
===

#3. klist shows that the cross-realm ticket was successfully fetched from AD
===
$ klist
Credentials cache: FILE:/tmp/krb5cc_GFMQAj
        Principal: [hidden email]

  Issued                Expires               Principal
May 19 18:06:31 2016  May 20 04:06:10 2016  krbtgt/[hidden email]
May 19 18:06:57 2016  May 20 04:06:10 2016  krbtgt/[hidden email]
===

#4. The Heimdal KDC logged the following message when kgetcred was used:
===
May 19 18:06:39 kdc-lab-slave1 kdc[1856]: Failed to verify AP-REQ: encryption key has bad length
May 19 18:06:39 kdc-lab-slave1 kdc[1856]: Failed parsing TGS-REQ from IPv4:xxx.xxx.xxx.xxx
May 19 18:06:39 kdc-lab-slave1 kdc[1856]: tgs-req: sending error: -1765328195 to client
May 19 18:06:39 kdc-lab-slave1 kdc[1856]: sending 114 bytes to IPv4:xxx.xxx.xxx.xxx
===

Looking at the git master branch I noticed that Jeffrey Altman had supplied a
patch which was meant to handle this scenario:
https://github.com/heimdal/heimdal/commit/83011252d7be71d60aa23df8648c516a6148203e

I prompted me to build a new set of Ubuntu packages with this patch
applied. It did indeed seem to fix the cross-realm problem:
===
$ kgetcred host/[hidden email]
$ klist
Credentials cache: FILE:/tmp/krb5cc_GFMQAj
        Principal: [hidden email]

  Issued                Expires               Principal
May 19 18:19:18 2016  May 20 04:18:58 2016  krbtgt/[hidden email]
May 19 18:19:29 2016  May 20 04:18:58 2016  krbtgt/[hidden email]
May 19 18:19:11 2016  May 20 04:18:58 2016  host/[hidden email]
===

The Heimdal KDC log looks much better then:
===
May 19 18:19:11 kdc-lab-slave1 kdc[853]: TGS-REQ [hidden email] from IPv4:xxx.xxx.xxx.xxx for host/[hidden email] [proxiable, forwardable]
May 19 18:19:11 kdc-lab-slave1 kdc[853]: Client not found in database: no such entry found in hdb
May 19 18:19:11 kdc-lab-slave1 kdc[853]: cross-realm AD.REALM -> HEIMDAL.REALM
May 19 18:19:11 kdc-lab-slave1 kdc[853]: TGS-REQ authtime: 2016-05-19T18:19:18 starttime: 2016-05-19T18:19:11 endtime: 2016-05-20T04:18:58 renew till: unset
May 19 18:19:11 kdc-lab-slave1 kdc[853]: sending 678 bytes to IPv4:xxx.xxx.xxx.xxx
===

However, at this point I noticed that the previously working
HEIMDAL.REALM -> AD.REALM cross-realm had stopped working.

#1. Kinit against Heimdal still works:
===
$ kinit [hidden email]
$ klist
Credentials cache: FILE:/tmp/krb5cc_GFMQAj
        Principal: [hidden email]

  Issued                Expires               Principal
May 19 18:15:57 2016  May 20 04:15:50 2016  krbtgt/[hidden email]
===

#2. The kgetcred fails however:
===
$ kgetcred host/[hidden email]
kgetcred: krb5_get_creds: Matching credential (host/[hidden email]) not found
$ klist
Credentials cache: FILE:/tmp/krb5cc_GFMQAj
        Principal: [hidden email]

  Issued                Expires               Principal
May 19 18:15:57 2016  May 20 04:15:50 2016  krbtgt/[hidden email]
===

The KDC logs the following messages:
===
May 19 18:17:19 kdc-lab-slave1 kdc[853]: Failed to verify AP-REQ: encryption key has bad length
May 19 18:17:19 kdc-lab-slave1 kdc[853]: Failed parsing TGS-REQ from IPv4:xxx.xxx.xxx.xxx
May 19 18:17:19 kdc-lab-slave1 kdc[853]: tgs-req: sending error: -1765328195 to client
May 19 18:17:19 kdc-lab-slave1 kdc[853]: sending 114 bytes to IPv4:xxx.xxx.xxx.xxx
May 19 18:17:19 kdc-lab-slave1 kdc[853]: Failed to verify AP-REQ: encryption key has bad length
May 19 18:17:19 kdc-lab-slave1 kdc[853]: Failed parsing TGS-REQ from IPv4:xxx.xxx.xxx.xxx
May 19 18:17:19 kdc-lab-slave1 kdc[853]: tgs-req: sending error: -1765328195 to client
May 19 18:17:19 kdc-lab-slave1 kdc[853]: sending 114 bytes to IPv4:xxx.xxx.xxx.xxx
===

Some further testing suggests that any TGS-REQ queries not using the
AD.REALM -> HEIMDAL.REALM cross-realm trust are broken at this point:
trying to kgetcred "host/[hidden email]" after
fetching the HEIMDAL.REALM krbgt with kinit fails.

Looking closer at the patch I noticed something however:
While it does add the possibility of setting HDB_F_ALL_KVNOS in the flags
variable if kvno is 0, it completely removes the "kvno = *kvno_ptr;" which was
done previously.

It seems to me that the kvno variable still needs to be set when
HDB_F_KVNO_SPECIFIED is selected.

I tried building a new set of Ubuntu packages with this sligtly modified patch:
===
Index: heimdal-1.6~git20131207+dfsg/kdc/misc.c
===================================================================
--- heimdal-1.6~git20131207+dfsg.orig/kdc/misc.c 2013-12-07 14:36:38.000000000 +0100
+++ heimdal-1.6~git20131207+dfsg/kdc/misc.c 2016-05-19 19:50:56.581368847 +0200
@@ -53,9 +53,13 @@
 
     *h = NULL;
 
-    if (kvno_ptr) {
+    if (kvno_ptr != NULL) {
+ if (*kvno_ptr != 0){
     kvno = *kvno_ptr;
     flags |= HDB_F_KVNO_SPECIFIED;
+ }
+ else
+    flags |= HDB_F_ALL_KVNOS;
     }
 
     ent = calloc(1, sizeof (*ent));
===

It seems to make the KDC work again. I feel like I am missing
something though: if the original diff indeed breaks "normal" TGS-REQ
handling I guess it would have been spotted by now.

I am aware that master is a pretty different beast from the 1.6 branch
at this point however.

Any thoughts on this? If this indeed is the correct way forward I would
also be happy to know if there have been any follow-up patches needed
elsewhere in the tree to make this work reliably. It would be
unfortunate if I would break the KDC in some subtle way by applying the
diff above to the Ubuntu package as-is.

Regards,
Patrik Lundin
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory cross-realm support in 1.6 branch

Jeffrey Altman-2
On 5/20/2016 5:04 AM, Patrik Lundin wrote:

> [details deleted]
>
> Looking closer at the patch I noticed something however:
> While it does add the possibility of setting HDB_F_ALL_KVNOS in the flags
> variable if kvno is 0, it completely removes the "kvno = *kvno_ptr;" which was
> done previously.
>
> It seems to me that the kvno variable still needs to be set when
> HDB_F_KVNO_SPECIFIED is selected.
>
> I tried building a new set of Ubuntu packages with this sligtly modified patch:
> ===
> Index: heimdal-1.6~git20131207+dfsg/kdc/misc.c
> ===================================================================
> --- heimdal-1.6~git20131207+dfsg.orig/kdc/misc.c 2013-12-07 14:36:38.000000000 +0100
> +++ heimdal-1.6~git20131207+dfsg/kdc/misc.c 2016-05-19 19:50:56.581368847 +0200
> @@ -53,9 +53,13 @@
>  
>      *h = NULL;
>  
> -    if (kvno_ptr) {
> +    if (kvno_ptr != NULL) {
> + if (*kvno_ptr != 0){
>      kvno = *kvno_ptr;
>      flags |= HDB_F_KVNO_SPECIFIED;
> + }
> + else
> +    flags |= HDB_F_ALL_KVNOS;
>      }
>  
>      ent = calloc(1, sizeof (*ent));
> ===
>
> It seems to make the KDC work again. I feel like I am missing
> something though: if the original diff indeed breaks "normal" TGS-REQ
> handling I guess it would have been spotted by now.
>
> I am aware that master is a pretty different beast from the 1.6 branch
> at this point however.
>
> Any thoughts on this? If this indeed is the correct way forward I would
> also be happy to know if there have been any follow-up patches needed
> elsewhere in the tree to make this work reliably. It would be
> unfortunate if I would break the KDC in some subtle way by applying the
> diff above to the Ubuntu package as-is.
Patrik,

The above patch looks correct.   I too am surprised that no one has
complained about this previously.

I will merge the change.

Jeffrey Altman



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory cross-realm support in 1.6 branch

Patrik Lundin-2
On 2016-05-20 09:01:14, Jeffrey Altman wrote:
>
> The above patch looks correct.   I too am surprised that no one has
> complained about this previously.
>
> I will merge the change.
>

Thanks for looking at this. I don't agree completely with the commit message
you used however.

It only states that cross-realm trusts break, but as I stated in my initial
message I believe it actually breaks _all_ TGS-REQs not using an AD -> Heimdal
cross-realm trust (I guess this means any TGS-REQ not using kvno 0).

This is how i verified it:
#1. kinit [hidden email]
#2. kgetcred host/[hidden email]

Outcome:
===
$ klist
klist: No ticket file: /tmp/krb5cc_CmOpBy
$ kinit [hidden email]
$ klist
Credentials cache: FILE:/tmp/krb5cc_CmOpBy
        Principal: [hidden email]

  Issued                Expires               Principal
May 20 15:37:17 2016  May 21 01:37:15 2016  krbtgt/[hidden email]
$ kgetcred host/[hidden email]
kgetcred: krb5_get_creds: Matching credential (host/[hidden email]) not found
$ klist
Credentials cache: FILE:/tmp/krb5cc_CmOpBy
        Principal: [hidden email]

  Issued                Expires               Principal
May 20 15:37:17 2016  May 21 01:37:15 2016  krbtgt/[hidden email]
===

Logs from the KDC at this point:
===
May 20 15:37:26 kdc-lab-slave1 kdc[858]: Failed to verify AP-REQ: encryption key has bad length
May 20 15:37:26 kdc-lab-slave1 kdc[858]: Failed parsing TGS-REQ from IPv4:xxx.xxx.xxx.xxx
May 20 15:37:26 kdc-lab-slave1 kdc[858]: tgs-req: sending error: -1765328195 to client
May 20 15:37:26 kdc-lab-slave1 kdc[858]: sending 114 bytes to IPv4:xxx.xxx.xxx.xxx
May 20 15:37:26 kdc-lab-slave1 kdc[858]: Failed to verify AP-REQ: encryption key has bad length
May 20 15:37:26 kdc-lab-slave1 kdc[858]: Failed parsing TGS-REQ from IPv4:xxx.xxx.xxx.xxx
May 20 15:37:26 kdc-lab-slave1 kdc[858]: tgs-req: sending error: -1765328195 to client
May 20 15:37:26 kdc-lab-slave1 kdc[858]: sending 114 bytes to IPv4:xxx.xxx.xxx.xxx
===

Like initially stated this simple non-cross-realm operation fails for me with
the original patch applied. This is what made it so weird it hasn't been
noticed.

I guess it might be too late to fix the commit message now though.

Regards,
Patrik Lundin