krb5-samba: interdomain trust uses different salt principal

Enterprise / Samba - Alexander Bokovoy [samba.org] - 5 September 2018 01:57 EDT

Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($)

The salt principal for the BLA$ user object was generated wrong.

dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA

dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000

The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'.

While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539

Pair-Programmed-With: Stefan Metzmacher

f3e349bebc4 krb5-samba: interdomain trust uses different salt principal
auth/credentials/credentials_krb5.c | 16 +++++--
lib/krb5_wrap/krb5_samba.c | 61 +++++++++++++++++++-------
lib/krb5_wrap/krb5_samba.h | 2 +-
selftest/knownfail.d/trust_user_account | 1 -
source3/passdb/machine_account_secrets.c | 3 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 6 +--
6 files changed, 63 insertions(+), 26 deletions(-)

Upstream: gitweb.samba.org


  • Share