Comment 1 Felix Botner 2018-02-15 12:59:06 CET

permitted enc types in 4.3



>>> import heimdal
>>> c = heimdal.context()
>>> c.get_permitted_enctypes()
[aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, aes128-cts-hmac-sha256-128, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc]


4.2

> c.get_permitted_enctypes()
[aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc]

so aes256-cts-hmac-sha384-192, aes128-cts-hmac-sha256-128 are new in 4.3

Comment 2 Arvid Requate 2018-02-15 13:05:42 CET

Ok, I guess we need to skip generating the new added types aes256-cts-hmac-sha384-192 (20) and aes128-cts-hmac-sha256-128 (19) in users/user

Comment 3 Felix Botner 2018-02-15 13:05:52 CET

krb5Key:: MDmhGzAZoAMCAROhEgQQgiyNOyk+ySwO1IMVuZRHRqIaMBigAwIBA6ERBA9GT1VSLlRXT3Vjcy1zc28=
#	krb5_keytype: aes128-cts-hmac-sha256-128
#	krb5_keytype: aes128-cts-hmac-sha256-128 (19)
#	keyblock:  giyNOyk+ySwO1IMVuZRHRg==
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MEGhIzAhoAMCARChGgQYGQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHlohowGKADAgEDoREED0ZPVVIuVFdPdWNzLXNzbw==
#	krb5_keytype: des3-cbc-sha1
#	krb5_keytype: des3-cbc-sha1 (16)
#	keyblock:  GQ4IN5E9c4BuzS8q+2dJfA7I73ObOFHl
#	saltstring:  FOUR.TWOucs-sso
krb5Key:: MEmhKzApoAMCARShIgQgy6DuAsuYAvTYYMzsSJ44QRwJGzme1oh0tdWyhuzLw9GiGjAYoAMCAQOhEQQPRk9VUi5UV091Y3Mtc3Nv
#	krb5_keytype: aes256-cts-hmac-sha384-192
#	krb5_keytype: aes256-cts-hmac-sha384-192 (20)

Comment 4 Arvid Requate 2018-02-15 13:11:00 CET

Also, users/user (or rather python-heimdal) should respect the "permitted_enctypes" setting specified in /etc/krb5.conf.

Felix also rightly suggests to restrict univention-python-heimdal to only tread the types it actually supports and to skip others. We may want to backport that also to UCS 4.2-3.

Comment 5 Felix Botner 2018-02-15 14:21:29 CET

(1)

we have set the default enc types in 4.3 to those permitted in 4.2, see defaults in conffiles/etc/krb5.conf


(In reply to Arvid Requate from comment #4)
> Also, users/user (or rather python-heimdal) should respect the
> "permitted_enctypes" setting specified in /etc/krb5.conf.
> 
> Felix also rightly suggests to restrict univention-python-heimdal to only
> tread the types it actually supports and to skip others. We may want to
> backport that also to UCS 4.2-3.

(2) yes we should fix 

(a)
univention-python-heimdal.enctype.c enctype_string() to not segfault for unknown enctypes


(b) and maybe 

univention-s4-connector/modules/univention/s4connector/s4/password.py
calculate_supplementalCredentials

and 

univention-samba4/s4search-decode
decode_krb5Key

to ignore unknown enctypes

--- /usr/sbin/s4search-decode.o	2018-02-15 14:20:06.445811000 +0100
+++ /usr/sbin/s4search-decode	2018-02-15 14:18:29.929811000 +0100
@@ -48,6 +48,7 @@
 from datetime import datetime
 
 context = None
+permitted_enctypes = []
 
 keytypes = {
 	1: 'des_crc',
@@ -74,10 +75,20 @@
 
 
 def decode_krb5Key(value):
+	global context
+	global permitted_enctypes
+	if not context:
+		context = heimdal.context()
+	if not permitted_enctypes:
+		for enc in context.get_permitted_enctypes():
+			permitted_enctypes.append(enc.toint())
 	k = binascii.a2b_base64(value)
 	(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
 	enctype = keyblock.keytype()
 	enctype_id = enctype.toint()
+	if enctype_id not in permitted_enctypes:
+		print "# SKIPPING ENC type %s, not support by heimdal" % enctype_id
+		return
 	print "#\tkrb5_keytype: %s (%d)" % (enctype, enctype_id)
 	key_data = keyblock.keyvalue()
 	print "#\tkeyblock: ", binascii.b2a_base64(key_data).strip()

(2) should also be backported to 4.2-3

Comment 6 Arvid Requate 2018-02-15 16:47:12 CET

Created attachment 9391 [details]
manually_filter_permitted_enctypes.patch

Ok, Heimdal 7.1 has additional keys in "default_etypes", and it doesn't sonsidter the "permitted_enctypes" option in krb5.conf. So I created the attached patch to filter the enctypes manually. When I was ready with that I discovered that the options

* permitted_enctypes
* default_tgs_enctypes
* default_tkt_enctypes

are actually MIT Kerberos options and marked as such in the Heimdal krb5.conf parser. That's Bug 36542. I now fixed it by adjusting the UCR template to use the corresponding Heimdal options.

Comment 7 Arvid Requate 2018-02-15 18:57:02 CET

For compatibility reasons I've kept the MIT specific options too.

Comment 8 Felix Botner 2018-02-16 11:31:09 CET

I would like patch univention-samba4 and univention-s4-connector to ignore krb5keys with unsupported enctypes (see patches).


We should also backport this to 4.2-3.

Comment 9 Felix Botner 2018-02-16 11:32:21 CET

Created attachment 9392 [details]
univention-s4-connector.patch

Comment 10 Felix Botner 2018-02-16 11:32:50 CET

Created attachment 9393 [details]
univention-samba4.patch

Comment 11 Arvid Requate 2018-02-16 13:13:57 CET

Adjusted with commit e554b41680, packages rebuilt.

Comment 12 Felix Botner 2018-02-16 13:46:10 CET

FAIL - changelog


OK - univention-samba4

univention-ldapsearch uid=test1| ldapsearch-wrapper | s4search-decode 
...
krb5Key:: MDShGzAZoAMCAROhEgQQuuM6vxGbZy9NcK1bnwQREKIVMBOgAwIBA6EMBApGQi5CRnRlc3Qx
#	SKIPPING ENC type 19, not support by this Heimdal version
krb5Key:: MEShKzApoAMCARShIgQgPrt3cs3IlfJI8Zkxn+1wDsiIx1MlPi3g+RzbC77OhYuiFTAToAMCAQOhDAQKRkIuQkZ0ZXN0MQ==
#	SKIPPING ENC type 20, not support by this Heimdal version
...

OK - univention-s4-connector

16.02.2018 11:09:45,606 LDAP        (PROCESS): sync from ucs: [          user] [       add] cn=test2,DC=four,DC=two
16.02.2018 11:09:45,659 LDAP        (WARNING): calculate_supplementalCredentials: ignoring enctype '19', not supported by heimdal
16.02.2018 11:09:45,659 LDAP        (WARNING): calculate_supplementalCredentials: ignoring enctype '20', not supported by heimdal
16.02.2018 11:09:45,719 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=test2,DC=four,DC=two
16.02.2018 11:09:45,747 LDAP        (PROCESS): sync from ucs: [          user] [    modify] cn=test2,DC=four,DC=two

Comment 13 Arvid Requate 2018-02-16 15:06:20 CET

> FAIL - changelog

Sigh, it's a regression that occurred during development of UCS 4.3. I've added the bug number to the existing entry for Bug 36542.

Comment 14 Felix Botner 2018-02-16 15:28:37 CET

(In reply to Arvid Requate from comment #13)
> > FAIL - changelog
> 
> Sigh, it's a regression that occurred during development of UCS 4.3. I've
> added the bug number to the existing entry for Bug 36542.

yes, your are right, that should be enough

Comment 15 Stefan Gohmann 2018-03-14 14:38:12 CET

UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".