'Re: [cifs-protocol] [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO
From:       Edgar Olougouna <edgaro () microsoft ! com>
Date:       2016-05-09 19:58:33
Message-ID: CY1PR0301MB11793B221F4A31B84EC73F4ADB700 () CY1PR0301MB1179 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]

Uri,
The real workaround is a fix – which you already coded and tested - that enables \
interop across implementations in the industry e.g. Windows, MIT. The 5 bytes kvno \
issue is a legacy that surfaced when Windows introduced RODC which leveraged the \
higher bytes of the kvno.  Statistically 50% of RODCs will have an Rodc-ID >= 32768. \
When promoting a Windows server to RODC, the administrator does not have the option \
to control or choose its Rodc-Id. The RODC identifier is generated by the system and \
is random between 1 and 0xFFFF, but it is unique across the domain. Only SYSTEM has \
the write privilege on the msDS-SecondaryKrbTgtNumber attribute; this is a system \
only attribute, and is not meant to be modified.

Thanks,
Edgar

-----Original Message-----
From: Uri Simchoni [mailto:uri@samba.org] 
Sent: Saturday, May 7, 2016 3:45 AM
To: Edgar Olougouna <edgaro@microsoft.com>
Cc: cifs-protocol@lists.samba.org; Ralph Böhme <slow@samba.org>; MSSolve Case Email \
                <casemail@microsoft.com>
Subject: Re: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO

One last thing - for the sake of reproducing the issue in the future or as a \
workaround, is there a way to control the RODC id when promoting a server to RODC \
(i.e. to make the rodc id < 32768 or >= 32768)?

Thanks,
Uri.
On 05/06/2016 08:31 PM, Edgar Olougouna wrote:
> Uri,
> Windows KILE key version numbers are signed 32-bit integers. Windows KDC does not \
> accept 5 bytes Kvno and does not return errors on "malformed" packets as that can \
> be used to setup a DoS flood attack.  The first 16 bits of the kvno, including the \
> most significant bit, are an unsigned 16-bit number that SHOULD identify the RODC \
> (if it's RODC). The remaining 16 bits SHOULD be the version number of the key. KILE \
> has a deviation from [RFC4120] which defines kvno as Uint32.  For interop, MIT \
> implementation also uses the signed 32-bit integer. 
> Maybe I use add a few lines to my blog.
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fblogs
> .msdn.microsoft.com%2fopenspecification%2f2011%2f05%2f11%2fnotes-on-ke
> rberos-kvno-in-windows-rodc-environment%2f&data=01%7c01%7cedgaro%40mic
> rosoft.com%7c6927d4f4baff493f70c508d37653dc0f%7c72f988bf86f141af91ab2d
> 7cd011db47%7c1&sdata=aUr0KWmnHzSMcdob5n9B0Tzx6Ww8v9YxMbCaZ1B4Vrw%3d
> 
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Edgar Olougouna
> Sent: Friday, May 6, 2016 10:57 AM
> To: Uri Simchoni <uri@samba.org>
> Cc: cifs-protocol@lists.samba.org; Ralph Böhme <slow@samba.org>; 
> MSSolve Case Email <casemail@microsoft.com>
> Subject: RE: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO
> 
> Uri,
> I am reviewing this and will follow-up soon.
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Kamil Sykora
> Sent: Thursday, May 5, 2016 8:13 PM
> To: Uri Simchoni <uri@samba.org>
> Cc: cifs-protocol@lists.samba.org; Ralph Böhme <slow@samba.org>; 
> MSSolve Case Email <casemail@microsoft.com>
> Subject: RE: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO
> 
> [BCC: dochelp, CC: casemail]
> 
> Hello Uri,
> 
> Thank you for your question. I have created incident 116050614132786 to track your \
> issue. One of our team members will contact you shortly. 
> Thanks,
> Kamil
> 
> Kamil Sykora
> Microsoft Open Specifications
> 
> 
> -----Original Message-----
> From: Uri Simchoni [mailto:uri@samba.org]
> Sent: Thursday, May 5, 2016 5:26 PM
> To: Interoperability Documentation Help <dochelp@microsoft.com>
> Cc: cifs-protocol@lists.samba.org; Ralph Böhme <slow@samba.org>
> Subject: [MS-KILE] - DER encoding of KVNO
> 
> 
> Hi,
> 
> This is in reference to Samba bug
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fbugzilla.samba.org% \
> 2fshow_bug.cgi%3fid%3d11900&data=01%7c01%7cedgaro%40microsoft.com%7c6927d4f4baff493f \
> 70c508d37653dc0f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xWuRT54TOTL5ZoOMOD5Lfio4Fx6LTfKmANmZBTDjZuI%3d. \
> I seek clarification on encoding of Kerberos tickets. 
> We've found that when generating a TGS request, the Kerberos library that's bundled \
> with Samba encodes a KVNO larger than 0x7fffffff using  5 bytes, and this seems to \
> upset Windows domain controllers (2003R2 and 2008R2), which seem to expect a \
> maximum of 4 bytes in the KVNO. We've demonstrated that encoding the KVNO in 4 \
> bytes fixes the issue. 
> We easily get to such high KVNO when working against an RODC which is configured to \
> cache our machine account password. In that case the TGT we get has a high KVNO \
> because it's made up of two fields. It appears that we decode and re-encode the TGT \
> (the unencrypted parts) before sending it in a TGS-REQ. 
> According to RFC 4120, a KVNO is an unsigned 32-bit integer, and according to DER, \
> such an integer in the range of 0x80000000-0xFFFFFFFF has to be encoded using 5 \
> bytes, so it seems Samba's in compliance with the standard here. 
> Can you confirm that Windows expects up to 4 bytes in the KVNO? If yes, can it be \
> said that Windows is too restrictive here? 
> Thanks,
> Uri.
> 

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread] 