authpolicy: net ads join possibly uses insecure ciphers |
||||||||
Issue description
When doing net ads join, Samba creates a temporary krb5.conf file that contains insecure ciphers, e.g.
/tmp/authpolicyd/samba/lock/smb_krb5/krb5.conf.CHROME
contains
[libdefaults]
default_realm = CHROME.LAN
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
dns_lookup_realm = false
[realms]
CHROME.LAN = {
kdc = 100.107.70.142
}
Find out why that is, what the consequences are and how to fix it.
,
Nov 21 2016
Can we merge this into issue 660834 ?
,
Nov 21 2016
,
Jan 2 2017
Zen, it looks like the code that writes this file is in source3/libads/kerberos.c, line 900 (in Samba 4.5.0). Do you think we can simply add a patch that removes "RC4-HMAC DES-CBC-CRC DES-CBC-MD5"?
,
Jan 3 2017
Seems reasonable.
,
Jan 18 2017
The 2 changes below appear to add a new config to smb.conf called "kerberos encryption types" with 3 values all, strong, and legacy. 'strong' maps to just the AES ones which does what we want for now (possibly we might want something more flexible in future). https://git.samba.org/?p=samba.git;a=commitdiff;h=513fa31c85650e0767e5dc1b3b94a4cc652030e6;hp=25df582739918b7afd4e5497eaffe279e2d92cd1 https://git.samba.org/?p=samba.git;a=commitdiff;h=3fff2667ec3f12fe1263735095c1a39182b0d351;hp=513fa31c85650e0767e5dc1b3b94a4cc652030e6 These were in August so I'm just going to double check they didn't make it into the 4.5.3 release then I'll see if the patches apply cleanly to our version.
,
Jan 18 2017
Agreed that "strong" is fully sufficient for now. Looking for the presence of docs-xml/smbdotconf/security/kerberosencryptiontypes.xml, that change doesn't seem present in either remotes/origin/v4-5-stable or remotes/origin/v4-5-test. The good news is that the two CLs have easily resolvable conflicts when merging into v4-5-stabe. Could you maybe upload a patch and add me as reviewer?
,
Jan 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/44ae699e137a1204d0898ac0e255cf0c343576c8 commit 44ae699e137a1204d0898ac0e255cf0c343576c8 Author: Zentaro Kavanagh <zentaro@google.com> Date: Wed Jan 18 20:30:35 2017 Backport 2 changes [1][2] from Samba trunk that support restricting encryption types for kerberos. - These were upstream changes we requested to comply with security review. - It allows us to force Samba to disallow insecure ciphers. - These changes will end up in 4.6 so they can be dropped when we upgrade. [1] - https://git.samba.org/?p=samba.git;a=commit;h=513fa31c85650e0767e5dc1b3b94a4cc652030e6 [2] - https://git.samba.org/?p=samba.git;a=commit;h=3fff2667ec3f12fe1263735095c1a39182b0d351 BUG= chromium:662390 TEST=applies and builds Change-Id: I0c36a37e24a79a5b8e55e50df79aa4c0873411da Reviewed-on: https://chromium-review.googlesource.com/429933 Commit-Ready: Thiemo Nagel <tnagel@chromium.org> Tested-by: Thiemo Nagel <tnagel@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Thiemo Nagel <tnagel@chromium.org> [add] https://crrev.com/44ae699e137a1204d0898ac0e255cf0c343576c8/net-fs/samba/files/samba-4.5.3-add_kerberos_enc_types.patch [add] https://crrev.com/44ae699e137a1204d0898ac0e255cf0c343576c8/net-fs/samba/files/samba-4.5.3-use_kerberos_enc_types.patch [modify] https://crrev.com/44ae699e137a1204d0898ac0e255cf0c343576c8/net-fs/samba/samba-4.5.3.ebuild [rename] https://crrev.com/44ae699e137a1204d0898ac0e255cf0c343576c8/net-fs/samba/samba-4.5.3-r4.ebuild
,
Jan 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/933a40efda17e223c6b622a3563d93c0b4b5de2e commit 933a40efda17e223c6b622a3563d93c0b4b5de2e Author: Lutz Justen <ljusten@chromium.org> Date: Thu Jan 19 13:41:52 2017 authpolicy: Depend on Samba 4.5.3-r4 Contains a patch that adds the ability to set secure encryption types for krb5.conf files created internally by Samba. CQ-DEPEND=CL:429933,CL:430671 BUG= chromium:662390 TEST=Compiles Change-Id: I64814c2d134379a93c36337748f6bc34a7cb88f0 Reviewed-on: https://chromium-review.googlesource.com/430692 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Thiemo Nagel <tnagel@chromium.org> [modify] https://crrev.com/933a40efda17e223c6b622a3563d93c0b4b5de2e/chromeos-base/authpolicy/authpolicy-9999.ebuild
,
Jan 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/061588e616785df2a364be73a8fb513c908356fc commit 061588e616785df2a364be73a8fb513c908356fc Author: Lutz Justen <ljusten@chromium.org> Date: Thu Jan 19 13:45:55 2017 authpolicy: Set strong Kerberos encryption types in smb.conf Samba internally creates a krb5.conf file that by default contains encryption types we consider weak. This CL sets a parameter in smb.conf that forces Samba to use strong entryption types only. CQ-DEPEND=CL:430692 BUG= chromium:662390 TEST=Verified that the internally created entryption types are strong. Change-Id: I09035188f333559e38508cebd3bdaa48000ae7f6 Reviewed-on: https://chromium-review.googlesource.com/430671 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Thiemo Nagel <tnagel@chromium.org> [modify] https://crrev.com/061588e616785df2a364be73a8fb513c908356fc/authpolicy/samba_interface.cc
,
Jan 23 2017
Afaics, this has been fixed. Can we close the issue?
,
Jan 24 2017
,
Jul 6 2017
bulk Verify of Chromad V1 bugs |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by bartfab@chromium.org
, Nov 11 2016