s4:kdc: Replace FAST cookie with dummy string

All that uses the FAST cookie is the gss-preauth authentication
mechanism, which is untested in Samba, and disabled by default.
Disabling the FAST cookie code (and sending a dummy string instead)
relieves us of the maintenance and testing burden of this untested code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 7fb46ae05d828f87d0c981266179a32e93b65499..ea2537530f8e1e4b576b78502f86f31713dc81a5 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -17,10 +17,8 @@
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc
-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fx_cookie_fast.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fx_cookie_no_fast.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc
-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unsolicited_fx_cookie_preauth.ad_dc
 #
 # S4U tests
 #

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 112c9556e931b21361401a0d29f152d82e9f92c9..ae90896d572f5008db35edf37314d7ca10fae793 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3536,25 +3536,6 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
                return NT_STATUS_INTERNAL_ERROR;
        }
 
-       /* Setup the link to secrets.ldb */
-
-       kdc_db_ctx->secrets_db = secrets_db_connect(kdc_db_ctx,
-                                                   base_ctx->lp_ctx);
-       if (kdc_db_ctx->secrets_db == NULL) {
-               DEBUG(1, ("samba_kdc_setup_db_ctx: "
-                         "Cannot open secrets.ldb for KDC backend!"));
-               talloc_free(kdc_db_ctx);
-               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-       }
-
-       kdc_db_ctx->fx_cookie_dn = ldb_dn_new(kdc_db_ctx,
-                                             kdc_db_ctx->secrets_db,
-                                             "CN=FX Cookie");
-       if (kdc_db_ctx->fx_cookie_dn == NULL) {
-               talloc_free(kdc_db_ctx);
-               return NT_STATUS_NO_MEMORY;
-       }
-
        /* Setup the link to LDB */
        kdc_db_ctx->samdb = samdb_connect(kdc_db_ctx,
                                          base_ctx->ev_ctx,

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 96c1ee5e072b59ba520d69fa37e5edf4248d82ab..90e52f60cef58ef0af17457b9d2f76485817a4f8 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -119,125 +119,12 @@ static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db,
        }
 }
 
-static int hdb_samba4_fill_fast_cookie(krb5_context context,
-                                      struct samba_kdc_db_context *kdc_db_ctx)
-{
-       struct ldb_message *msg = ldb_msg_new(kdc_db_ctx);
-       int ldb_ret;
-
-       uint8_t secretbuffer[32];
-       struct ldb_val val = data_blob_const(secretbuffer,
-                                            sizeof(secretbuffer));
-
-       if (msg == NULL) {
-               DBG_ERR("Failed to allocate msg for new fast cookie\n");
-               return LDB_ERR_OPERATIONS_ERROR;
-       }
-
-       /* Fill in all the keys with the same secret */
-       generate_secret_buffer(secretbuffer,
-                              sizeof(secretbuffer));
-
-       msg->dn = kdc_db_ctx->fx_cookie_dn;
-
-       ldb_ret = ldb_msg_add_value(msg, "secret", &val, NULL);
-
-       if (ldb_ret != LDB_SUCCESS) {
-               return ldb_ret;
-       }
-
-       ldb_ret = ldb_add(kdc_db_ctx->secrets_db,
-                         msg);
-       if (ldb_ret != LDB_SUCCESS) {
-               DBG_ERR("Failed to add fast cookie to ldb: %s\n",
-                       ldb_errstring(kdc_db_ctx->secrets_db));
-       }
-       return ldb_ret;
-}
-
 static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
                                                    struct samba_kdc_db_context *kdc_db_ctx,
                                                    hdb_entry *entry)
 {
-       krb5_error_code ret = SDB_ERR_NOENTRY;
-       TALLOC_CTX *mem_ctx;
-       struct ldb_result *res;
-       int ldb_ret;
-       struct sdb_entry sentry = {};
-       const char *attrs[] = {
-               "secret",
-               NULL
-       };
-       const struct ldb_val *val;
-
-       mem_ctx = talloc_named(kdc_db_ctx, 0, "hdb_samba4_fetch_fast_cookie context");
-       if (!mem_ctx) {
-               ret = ENOMEM;
-               krb5_set_error_message(context, ret, "hdb_samba4_fetch_fast_cookie: talloc_named() failed!");
-               return ret;
-       }
-
-       /* search for CN=FX-COOKIE */
-       ldb_ret = ldb_search(kdc_db_ctx->secrets_db,
-                            mem_ctx,
-                            &res,
-                            kdc_db_ctx->fx_cookie_dn,
-                            LDB_SCOPE_BASE,
-                            attrs, NULL);
-
-       if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT || res->count == 0) {
-
-               ldb_ret = hdb_samba4_fill_fast_cookie(context,
-                                                     kdc_db_ctx);
-
-               if (ldb_ret != LDB_SUCCESS) {
-                       TALLOC_FREE(mem_ctx);
-                       return HDB_ERR_NO_WRITE_SUPPORT;
-               }
-
-               /* search for CN=FX-COOKIE */
-               ldb_ret = ldb_search(kdc_db_ctx->secrets_db,
-                                    mem_ctx,
-                                    &res,
-                                    kdc_db_ctx->fx_cookie_dn,
-                                    LDB_SCOPE_BASE,
-                                    attrs, NULL);
-
-               if (ldb_ret != LDB_SUCCESS || res->count != 1) {
-                       TALLOC_FREE(mem_ctx);
-                       return HDB_ERR_NOENTRY;
-               }
-       }
-
-       val = ldb_msg_find_ldb_val(res->msgs[0],
-                                  "secret");
-       if (val == NULL || val->length != 32) {
-               TALLOC_FREE(mem_ctx);
-               return HDB_ERR_NOENTRY;
-       }
-
-
-       ret = krb5_make_principal(context,
-                                 &sentry.principal,
-                                 KRB5_WELLKNOWN_ORG_H5L_REALM,
-                                 KRB5_WELLKNOWN_NAME, "org.h5l.fast-cookie",
-                                 NULL);
-       if (ret) {
-               TALLOC_FREE(mem_ctx);
-               return ret;
-       }
-
-       ret = samba_kdc_set_fixed_keys(context, val, ENC_ALL_TYPES,
-                                      &sentry.keys);
-       if (ret != 0) {
-               return ret;
-       }
-
-       ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
-       sdb_entry_free(&sentry);
-       TALLOC_FREE(mem_ctx);
-
-       return ret;
+       DBG_ERR("Looked up HDB entry for unsupported FX-COOKIE.\n");
+       return HDB_ERR_NOENTRY;
 }
 
 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,

diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index 766f7ba917d3221d5f7b298c3ea72e880772b57a..da1c2118bd2989d2a770fd90f742bc860b32a980 100644 (file)
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -425,6 +425,35 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
         */
        kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx);
 
+       {
+               static const char *dummy_string = "Microsoft";
+
+               /*
+                * The FAST cookie is not cryptographically required,
+                * provided that the non-AD gss-preauth authentication
+                * method is removed (as this is the only multi-step
+                * authentication method).
+                *
+                * gss-preauth has been disabled both by not being
+                * configured and by being made dependent
+                * configuration for a "real" fast cookie.
+                *
+                * The hide_client_names feature in Heimdal is the
+                * only other state that is persisted in the cookie,
+                * and this does not need to be in the cookie for
+                * single-shot authentication protocols such as ENC-TS
+                * and ENC-CHAL, the standard password protocols in
+                * AD.
+                *
+                * Furthermore, the Heimdal KDC does not fail if the
+                * client does not supply a FAST cookie, showing that
+                * the presence of the cookie is not required.
+                */
+               kdc_config->enable_fast_cookie = false;
+               kdc_config->dummy_fast_cookie = smb_krb5_make_data(discard_const_p(char, dummy_string),
+                                                                  strlen(dummy_string));
+       }
+
        /*
         * Match Windows and RFC6113 and Windows but break older
         * Heimdal clients.

diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 8410a5bebacd47b1d8c16a746863ac552e130930..8b3f072b3627d2ba269b59e94f9f7db377707ca8 100644 (file)
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -52,8 +52,6 @@ struct samba_kdc_db_context {
        unsigned int my_krbtgt_number;
        struct ldb_dn *krbtgt_dn;
        struct samba_kdc_policy policy;
-       struct ldb_dn *fx_cookie_dn;
-       struct ldb_context *secrets_db;
 };
 
 struct samba_kdc_entry {