New issue
Advanced search Search tips

Issue 805908 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

authpolicy: Support RC4-HMAC for domain join

Project Member Reported by ljusten@chromium.org, Jan 25 2018

Issue description

By default, Windows 2012 doesn't enable AES encryption for domain trusts. Because of this, joining a machine to domain A using credentials from domain B (with trust between A and B) fails by default since Chromebooks enforce AES encryption.

Provide an option in the advanced options during enrollment to pick 'strong', 'all' and 'legacy' encryption types.
 
Status: Started (was: Assigned)
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 30 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/system_api/+/03017732129da58164ffd1e31c7c050abc797e89

commit 03017732129da58164ffd1e31c7c050abc797e89
Author: Lutz Justen <ljusten@chromium.org>
Date: Tue Jan 30 17:02:14 2018

authpolicy: Add domain join errors

Adds two errors that can happen during domain join.

BUG= chromium:805908 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: I7321c534d1a9d2a6bbd620d63d230b14b1f66abb
Reviewed-on: https://chromium-review.googlesource.com/886843
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Commit-Ready: Roman Sorokin <rsorokin@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Tested-by: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/03017732129da58164ffd1e31c7c050abc797e89/dbus/authpolicy/active_directory_info.proto

Project Member

Comment 3 by bugdroid1@chromium.org, Jan 31 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ac722cb03565b78c1501e9c2a336d6c2a45fcf91

commit ac722cb03565b78c1501e9c2a336d6c2a45fcf91
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Wed Jan 31 12:12:40 2018

Roll src/third_party/cros_system_api/ 55af1ecf9..030177321 (5 commits)

https://chromium.googlesource.com/chromiumos/platform/system_api.git/+log/55af1ecf9588..03017732129d

$ git log 55af1ecf9..030177321 --date=short --no-merges --format='%ad %ae %s'
2018-01-25 ljusten authpolicy: Add domain join errors
2018-01-23 allenvic smbprovider: Add WriteFile protobuf
2017-12-19 igorcov system_api: D-Bus constant for TpmAttestationGetEnrollmentId
2018-01-24 ljusten Remove deprecated AuthPolicy D-Bus method names
2018-01-21 ljusten authpolicy: Add ERROR_NO_WINDOWS_POLICY

Created with:
  roll-dep src/third_party/cros_system_api

BUG= chromium:805908 

Change-Id: I87859bf3e03d9c3668d731041317b31379a7a1e0
Reviewed-on: https://chromium-review.googlesource.com/893271
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533257}
[modify] https://crrev.com/ac722cb03565b78c1501e9c2a336d6c2a45fcf91/DEPS

Project Member

Comment 4 by bugdroid1@chromium.org, Feb 1 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/0ec736fd6cfaf381ebef0195277f4c60c72bb25e

commit 0ec736fd6cfaf381ebef0195277f4c60c72bb25e
Author: Lutz Justen <ljusten@chromium.org>
Date: Thu Feb 01 22:55:18 2018

authpolicy: Support more encryption types for domain join

Adds an option to customize the "kerberos encryption types" parameter in
smb.conf during domain join and initial device policy fetch.

By default, authpolicy only allows the (strong) AES encryption for
Kerberos authentication. However, AES might be blocked by the Active
Directory server. See bug description and
  https://lists.samba.org/archive/samba-technical/2016-July/115299.html
near "Avoiding AES" for specific use cases. In this case it is necessary
to allow the (weaker) RC4-HMAC encryption to unblock domain join.

Encryption is reset to 'strong' after the initial device policy fetch. A
new device policy is planned that is going to 'take over' the
specification of encryption types at that point.

The weaker types will be presented as drop-down on the Chrome OS domain
join screen. Note that if an Active Directory server supports AES
encryption, it is used even if the client supports weaker types as well.

For security and consistency reasons multiple domain join attempts are
blocked now.

CQ-DEPEND=CL:886843

BUG= chromium:805908 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: Ia2a14a71c8782d9f96a6219c79c11e45f6d1f02c
Reviewed-on: https://chromium-review.googlesource.com/888579
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/0ec736fd6cfaf381ebef0195277f4c60c72bb25e/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/0ec736fd6cfaf381ebef0195277f4c60c72bb25e/authpolicy/samba_interface.cc
[modify] https://crrev.com/0ec736fd6cfaf381ebef0195277f4c60c72bb25e/authpolicy/samba_interface.h
[modify] https://crrev.com/0ec736fd6cfaf381ebef0195277f4c60c72bb25e/authpolicy/samba_helper.h
[modify] https://crrev.com/0ec736fd6cfaf381ebef0195277f4c60c72bb25e/authpolicy/samba_helper.cc
[modify] https://crrev.com/0ec736fd6cfaf381ebef0195277f4c60c72bb25e/authpolicy/authpolicy.cc

Owner: rsorokin@chromium.org
Authpolicyd part is complete.
Project Member

Comment 6 by bugdroid1@chromium.org, Feb 13 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b

commit ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Tue Feb 13 10:53:03 2018

Move select function into separate file

It allows to use it both on the oobe and login screens
Also runs callback on pressing arrows

BUG= chromium:805908 
TEST=manual

Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: Iae406bf9af0d52e6ff83cd391bc40db35d076b6e
Reviewed-on: https://chromium-review.googlesource.com/908550
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Michael Giuffrida <michaelpg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#536330}
[modify] https://crrev.com/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b/chrome/browser/resources/chromeos/login/compiled_resources2.gyp
[modify] https://crrev.com/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b/chrome/browser/resources/chromeos/login/login_non_lock_shared.js
[modify] https://crrev.com/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b/chrome/browser/resources/chromeos/login/oobe.js
[modify] https://crrev.com/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b/chrome/browser/resources/chromeos/login/oobe_i18n_dropdown.js
[modify] https://crrev.com/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b/chrome/browser/resources/chromeos/login/oobe_screen_network.js
[add] https://crrev.com/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b/chrome/browser/resources/chromeos/login/oobe_select.js
[modify] https://crrev.com/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b/chrome/browser/resources/chromeos/login/oobe_welcome.js
[modify] https://crrev.com/ad400418b67c2ed73d1ba6f2b4c6545f9ac28d3b/chrome/browser/resources/chromeos/login/screen_arc_terms_of_service.js

Project Member

Comment 7 by bugdroid1@chromium.org, Feb 15 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d09c9455c2484b01f2b0718bdc58ecd71a142d0f

commit d09c9455c2484b01f2b0718bdc58ecd71a142d0f
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Thu Feb 15 18:26:09 2018

Chromad: Allow users to specify encryption types.

By default authpolicyd uses 'strong' kerberos encryption types (AES-based algorithms only).
That is not feasible for all Active Directory infrastructure. So we allow user to use weaker
types for the domain join as well. e.g. 'all' options also includes RC4-HMAC into permitted
encryptions.

For more info see:
https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#Kerberos_client_encryption_types

BUG= chromium:805908 
CQ-DEPEND=CL:893271,CL:908550

Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: Ibe40db451bb4656dbf18a5c7639891e2d9bb91a0
Reviewed-on: https://chromium-review.googlesource.com/893564
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Michael Giuffrida <michaelpg@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Cr-Commit-Position: refs/heads/master@{#537075}
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/app/chromeos_strings.grdp
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/chromeos/login/active_directory_login_browsertest.cc
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/chromeos/login/enterprise_enrollment_browsertest.cc
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/resources/chromeos/login/compiled_resources2.gyp
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/resources/chromeos/login/offline_ad_login.html
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/resources/chromeos/login/offline_ad_login.js
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/resources/chromeos/login/offline_gaia.css
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.html
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.h
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chromeos/dbus/fake_auth_policy_client.cc
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chromeos/dbus/fake_auth_policy_client_unittest.cc
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chromeos/login/auth/authpolicy_login_helper.cc
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chromeos/login/auth/authpolicy_login_helper.h
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/chromeos/login/auth/authpolicy_login_helper_unittest.cc
[modify] https://crrev.com/d09c9455c2484b01f2b0718bdc58ecd71a142d0f/components/policy/resources/policy_templates.json

Status: Fixed (was: Started)
Project Member

Comment 9 by bugdroid1@chromium.org, Feb 24 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/5eda0789e55a75fa5e73d53b71c12d2accc0bdd3

commit 5eda0789e55a75fa5e73d53b71c12d2accc0bdd3
Author: Lutz Justen <ljusten@chromium.org>
Date: Sat Feb 24 05:07:15 2018

authpolicy: Handle 'unsupported encryption type' error

The error was added in CL:886843, but it was never handled in
authpolicy.

BUG= chromium:805908 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: I656b59b6803b56a8376dfa378de5a2a0bf5f1115
Reviewed-on: https://chromium-review.googlesource.com/930842
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/5eda0789e55a75fa5e73d53b71c12d2accc0bdd3/authpolicy/stub_net_main.cc
[modify] https://crrev.com/5eda0789e55a75fa5e73d53b71c12d2accc0bdd3/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/5eda0789e55a75fa5e73d53b71c12d2accc0bdd3/authpolicy/stub_common.cc
[modify] https://crrev.com/5eda0789e55a75fa5e73d53b71c12d2accc0bdd3/authpolicy/stub_common.h
[modify] https://crrev.com/5eda0789e55a75fa5e73d53b71c12d2accc0bdd3/authpolicy/samba_interface.cc

Status: Verified (was: Fixed)
Verified in M67.0.3390.0 10569.0.0 dev paine that encryption type and auth error message were implemented and working as expected.
Also verified no issue in M66.0.3359.79 10452.42.0 beta paine.

Sign in to add a comment