s4:kdc: Enforce TGT lifetime authentication policy

author Joseph Sutton <josephsutton@catalyst.net.nz>

Thu, 4 May 2023 03:06:40 +0000 (15:06 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 18 May 2023 01:03:37 +0000 (01:03 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Thu, 4 May 2023 03:06:40 +0000 (15:06 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 18 May 2023 01:03:37 +0000 (01:03 +0000)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc

index cf07824ebe18aa5bc6443e1cdaa9ab97cca7a514..c39c0053b88ff0baa3d145a53071c70867e14e60 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -132,28 +132,7 @@
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_allowed_from.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_not_allowed_from.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_simple_bind_deny_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_computer.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_kpasswd_lifetime.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_long_protected.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_max.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_min.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_one_second.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_short_protected.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_and_policy_tgt_lifetime_computer.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_and_policy_tgt_lifetime_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_and_policy_tgt_lifetime_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_not_a_member_and_assigned_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_not_assigned_and_assigned_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_not_enforced_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_not_enforced_policy_and_assigned_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_tgt_lifetime_computer.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_tgt_lifetime_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_tgt_lifetime_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_unenforced_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_unenforced_policy_and_assigned_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_not_a_silo_and_policy.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_asserted_identity.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_claims_valid.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_compounded_auth.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc

index 13c1ece353a33cac0bdc51347ccfc939da124cb3..3686dd24f9b3c5638980ad97f7f166b69e763fe2 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -2225,28 +2225,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_allowed_from.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_samr_pwd_change_deny_service_not_allowed_from.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_simple_bind_deny_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_computer.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_kpasswd_lifetime.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_long_protected.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_max.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_min.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_one_second.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_short_protected.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_and_policy_tgt_lifetime_computer.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_and_policy_tgt_lifetime_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_and_policy_tgt_lifetime_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_not_a_member_and_assigned_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_not_assigned_and_assigned_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_not_enforced_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_not_enforced_policy_and_assigned_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_tgt_lifetime_computer.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_tgt_lifetime_service.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_tgt_lifetime_user.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_unenforced_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_silo_unenforced_policy_and_assigned_policy.ad_dc
-^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_not_a_silo_and_policy.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_asserted_identity.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_claims_valid.ad_dc
  ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_samlogon_allowed_to_computer_allow_compounded_auth.ad_dc
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c

index 375a2715dc63a1eb4adc545e06eb9ee5eaa67129..9195ebf0c594a86eeee292aa3565699b812af40f 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1092,6 +1092,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
  
         const struct authn_kerberos_client_policy *authn_client_policy = NULL;
         const struct authn_server_policy *authn_server_policy = NULL;
+       int64_t enforced_tgt_lifetime;
  
         ZERO_STRUCTP(entry);
  
@@ -1424,6 +1425,24 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                 }
         }
  
+       enforced_tgt_lifetime = authn_policy_enforced_tgt_lifetime(authn_client_policy);
+       if (enforced_tgt_lifetime != 0) {
+               int64_t lifetime = enforced_tgt_lifetime;
+
+               lifetime /= INT64_C(1000) * 1000 * 10;
+               lifetime = MIN(lifetime, INT_MAX);
+               lifetime = MAX(lifetime, INT_MIN);
+
+               /*
+                * Set both lifetime and renewal time based only on the
+                * configured maximum lifetime — not on the configured renewal
+                * time. Yes, this is what Windows does.
+                */
+               lifetime = MIN(*entry->max_life, lifetime);
+               *entry->max_life = lifetime;
+               *entry->max_renew = lifetime;
+       }
+
         if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && (flags & SDB_F_FOR_AS_REQ)) {
                 int result;
                 const struct auth_user_info_dc *user_info_dc = NULL;
@@ -1455,7 +1474,12 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
  
                 protected_user = result;
  
-               if (protected_user) {
+               if (protected_user && enforced_tgt_lifetime == 0)
+               {
+                       /*
+                        * If a TGT lifetime hasn’t been set, Protected Users
+                        * enforces a four hour TGT lifetime.
+                        */
                         *entry->max_life = MIN(*entry->max_life, 4 * 60 * 60);
                         *entry->max_renew = MIN(*entry->max_renew, 4 * 60 * 60);
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Thu, 4 May 2023 03:06:40 +0000 (15:06 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 18 May 2023 01:03:37 +0000 (01:03 +0000)
selftest/knownfail_heimdal_kdc		patch \| blob \| blame \| history
selftest/knownfail_mit_kdc		patch \| blob \| blame \| history
source4/kdc/db-glue.c		patch \| blob \| blame \| history