loadparm: add "kdc name match implicit dollar without canonicalization"

This does nothing yet.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

diff --git a/docs-xml/smbdotconf/security/kdcnamematchimplicitdollarwithoutcanonicalization.xml b/docs-xml/smbdotconf/security/kdcnamematchimplicitdollarwithoutcanonicalization.xml
new file mode 100644 (file)
index 0000000..e1426b1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcnamematchimplicitdollarwithoutcanonicalization.xml
@@ -0,0 +1,39 @@
+<samba:parameter name="kdc name match implicit dollar without canonicalization"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+  <description>
+    <para>
+      This option only affect clients that do not request name
+      canonicalization in an AS request, which generally means
+      traditional unix Kerberos clients and not Windows clients.
+    </para>
+
+    <para>
+      The KDC may match the name in an AS request inexactly, for
+      example using a case-insensitive comparison or converting it to
+      a User Principal Name, but the client is not informed of the
+      principal it actually matched unless it set the 'canonicalize'
+      option flag.
+    </para>
+    <para>
+      In Active Directory domains, the default behaviour of the KDC is
+      to append a '$' character if the supplied name does not have one
+      and does not already match. That allows 'foo' to match the
+      machine account 'foo$'. An attacker who is able to create
+      arbitrary machine accounts (which can be a low-privilege
+      operation) is sometimes able to get tickets for unix users by
+      mimicking their names. This is known as the 'dollar ticket
+      attack'.
+    </para>
+    <para>
+      With this option set to 'no', the KDC will not try to match
+      using the appended '$' unless the canonicalize flag is set. This
+      will allow AD-aware clients as usual to connect with
+      canonicalization, but not expose traditional unix clients to the
+      dollar ticket attack.
+    </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 125838c53a7c2c163c8219296486ae7543c26404..dc4f6829208864c7f4745a2bcb0ac9356a88d738 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2960,6 +2960,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "strong certificate binding enforcement", "full");
        lpcfg_do_global_parameter(lp_ctx, "certificate backdating compensation", "0");
        lpcfg_do_global_parameter(lp_ctx, "kdc always include pac", "True");
+       lpcfg_do_global_parameter(lp_ctx, "kdc name match implicit dollar without canonicalization",
+                                 "yes");
 
        lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
 

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 344b8901401f377c6bceb05e088ec5e6029f659e..42f126acc2107e2e356c1b9e1f1358cd83e5b711 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -965,6 +965,8 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
        Globals.certificate_backdating_compensation = 0;
        Globals.kdc_always_include_pac = true;
 
+       Globals.kdc_name_match_implicit_dollar_without_canonicalization = true;
+
        Globals.winbind_debug_traceid = true;
 
        Globals.aio_max_threads = 100;