[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Stefan Metzmacher metze at samba.org
Wed Sep 25 04:09:56 EDT 2019

Am 24.09.19 um 02:05 schrieb Stefan Metzmacher:
> Hi,
> resuming this old thread...
> https://lists.samba.org/archive/samba-technical/2017-August/122422.html
>>> Does the Kerberos library know whether whether the application is going
>>> to look at PACs and SIDs or just use the client principal name?  I am
>>> guessing it does not.  Thus in Samba, one might need a dedicated
>>> krb5.conf configuration file that disables the transit check.  Other
>>> applications should still apply transit check even if a PAC happens
>>> to be present, as AFAIK it may well remain unused.
>> My idea was that Samba would use
>> gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X) to indicate
>> the the transited list should not be checked.
> I implemented GSS_KRB5_CRED_NO_TRANSIT_CHECK_X for
> MIT, Heimdal (both upstream and Samba) and make use of
> it in Samba.
> Note that I took a OID from Heimdal:
> GSS_KRB5_CRED_NO_TRANSIT_CHECK_X - 1.2.752.43.13.31
> So we need to push it Heimdal first in order to avoid
> conflicts later.
> The code for Heimdal can be found here:
> https://github.com/metze-samba/krb5/tree/master-no-transit-check
> (also attached as heimdal-no_transit_check-01.patches.txt
> and heimdal-no_transit_check-wip-tests-01.patches.txt)
> Sadly I wasn't able to create a test that was able to
> trigger the desired code path and verify it works as
> expected and avoid regressions. Maybe someone can
> help me with that or give some useful hints.
> Currently it's only tested via Samba.
> The code for MIT can be found here:
> https://github.com/metze-samba/krb5/tree/master-no-transit-check
> (also attached as mit-krb5-no_transit_check-01.patches.txt)
> It also have tests to verify it works as expected.
> The work in progress for Samba can be found here:
> https://gitlab.com/samba-team/samba/merge_requests/809
> (also attached as samba-no_transit_check-wip-01.txt)
> The key is that Samba will require a verified PAC in the
> Kerberos service ticket and be sure the authorization token
> is generated by a DC of the primary domain, which is all we care
> about as we just trust the domain. In such a situation
> we'll use GSS_KRB5_CRED_NO_TRANSIT_CHECK_X to disable
> the for us useless transit check.

I just realized that verifying the PAC gains no additional protection.
As the client realm, client principal and transited fields is
in the encrypted part of the ticket, which is encrypted with the machine
trust password.

For now I added a simple "kerberos acceptor disable transited check"
option, which is off by default for now in order to backport that fix,
but in master we should enable that by default.

I've updated the Samba merge request with a much simpler patchset.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20190925/fa5e400e/attachment-0001.bin

More information about the krbdev mailing list