Bug 1800575

Summary: Always add PAC record first in the Kerberos ticket even if other AD-IF-RELEVANT records to be present
Product: Red Hat Enterprise Linux 8 Reporter: Alexander Bokovoy <abokovoy>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: abokovoy, dpal, fdvorak, pasik, xzhou
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/krb5/krb5/pull/1033
Whiteboard:
Fixed In Version: krb5-1.17-18.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:42:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Bokovoy 2020-02-07 13:08:15 UTC 
Clone of https://pagure.io/freeipa/issue/8185

When testing access as IPA user to Windows 2016 server AD DC, I found out that on Fedora 31 we seem to have some issue with both LDAP and SMB3.11 access to that AD DC. The traces show that Windows server does authenticate us but then:
- for LDAP protocol sends back an error claiming we are not bound to the connection
- for SMB protocol it sends back a signature that Samba considers 'bad' one.

The root cause of the issue is that FreeIPA 4.8.2+ started assigning authentication indicators to tickets issued with more pre-authentication types than before. In particular, this happens for pre-authentication done with SPAKE, OTP, PKINIT, and wrapped FAST channels. 

We found that in krb5 1.17 or below authentication indicators are added in CAMMAC entry as a separate ad-if-relevant element before the PAC record. This, it seems, confuses Windows server implementation. Further research showed that it also confused Samba AD DC built against Heimdal.

In krb5 1.18 (current git master) the code around sign_authdata() callback was changed to first retrieve existing PAC and then authentication indicators, to allow them to be passed to sign_authdata() callback for possible change of PAC or auth indicators. It means in 1.18 the behavior would be different -- PAC record would appear a first ad-if-relevant element, CAMMAC would be added to it.

The change https://github.com/krb5/krb5/pull/1033 in MIT Kerberos upstream ensures that PAC is always added first.
Comment 17 errata-xmlrpc 2020-04-28 16:42:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1775