Univention Bugzilla – Bug 45822
S4 connector reject if kerberos/allow/weak/crypto=false
Last modified: 2023-03-25 06:55:05 CET
root@ucs01:~# univention-app info UCS: 4.2-3 errata231 App Center compatibility: 4 Installed: samba4=4.6 Scenario: 1. ucr set kerberos/allow/weak/crypto=false 2. change a user password via UDM or UMC Expected result: -> password change is successfully synced to samba Observed behaviour: -> password is not synced to samba, passwords differ between OpenLDAP and Samba AD. The following S4-Connector traceback occurs: > 05.12.2017 16:33:11,52 LDAP (PROCESS): sync from ucs: [ user] [ modify] cn=someuser,ou=someou,DC=example,DC=intranet > 05.12.2017 16:33:11,183 LDAP (WARNING): sync failed, saved as rejected > /var/lib/univention-connector/s4/1512487988.817412 > 05.12.2017 16:33:11,184 LDAP (WARNING): Traceback (most recent call last): > File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 897, in __sync_file_from_ucs > if ((old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, unicode(old_dn, 'utf8'), old, new)) or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old, new))): > File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 2720, in sync_from_ucs > f(self, property_type, object) > File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/password.py", line 646, in password_sync_ucs_to_s4 > s4connector.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), modlist, serverctrls=[ctrl_bypass_password_hash]) > File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 336, in modify_ext_s > resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) > File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 > resp_ctrl_classes=resp_ctrl_classes > File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 > ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) > File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call > result = func(*args,**kwargs) > CONSTRAINT_VIOLATION: {'info': '0000202F: Primary:Kerberos missing at ../source4/dsdb/samdb/ldb_modules/password_hash.c:341', 'desc': 'Constraint violation'}
That variable has been created to *allow* Active Directory to work with Heimdal 1.4 and later: root@master10:~# ucr search weak kerberos/allow/weak/crypto: <empty> To ensure compatibility with Active Directory single DES keys (des-cbc-md5) are supported as standard. If this option is deactivated, the creation of such keys is disabled. If the variable is unset, single DES keys are supported. There are some MUST in section 3.1.1.8.11.4 of the [MS-SAMR] specification ( https://msdn.microsoft.com/en-us/library/cc245681.aspx ), so I currently see no way to push a patch to Samba that would allow creating supplementalCredentials without DES Keys. Sure, we could go our own way here, but we might have other priorities currently.
This blog post explains how Windows 7 and Windows Server 2008 R2 by default don't "support" DES encryption any longer. The posting shows in detail how the *client* doesn't offer DES as an option in his AS-REQ: https://blogs.technet.microsoft.com/askds/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos/ Note: As often, the MS wording is so cool: The user account control setting of "Use Kerberos DES Encryption types for this account" means: "When this setting is checked, the account *only* supports the DES encryption." https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/ PS: Thanks for raising this question. Reviewing old defaults and getting rid of cruft to raise the security bar is good.
ok
## Hackaton 8: I've checked the Samba source code and the behavior of a native Windows Active Directory 2008 R2 (plus AD-Takeover): * Windows 2008R2 generates AES256, AES128 and des-cbc-md5 but not des-cbc-crc (which is considered to be the weakest of all, even in comparison with rc4-md5) * The Samba source code requires at least des-cbc-md5, but im place of des-cbc-crc the structures may contain a DUMMY_NTHASH_KEYTYPE (-140) (see Bug #28907) So the only thing we could do currently would be: 1. Don't generate and use des-cbc-crc by removing it from the default_etypes etc. in /etc/krb5.conf The second step would be to also make the KDC ignore des-cbc-md5 for Tickets. But since Samba/AD still requires it's presence in the backend this would probably require patching Heimdal & UDM to still generate this key type even when we remove it from the default_etypes etc. in /etc/krb5.conf.