Antonios Kalkakos
2018-Jan-06 11:11 UTC
[Samba] Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and Heimdal Kerberos 7.1.0 packages are installed from Debian repositories. Management is done from MS-RSAT installed on a Windows 7 Pro client. When I select the option "Account is sensitive and cannot be delegated" (in Active Directory Users and Computers under the Account tab) for a user account regardless of its privileges, the user cannot logon on any client PC. Windows 7 responds "Logon failure: user account restriction. Possible reasons are blank passwords are not allowed, logon hour restrictions, or a policy restriction has been enforced" and a Debian Stretch client responds "You are not allowed to logon from this workstation". The Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F command from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: 0x00100000: UF_NOT_DELEGATED: The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT for the account. It means the KDC will respond with an error if the client asks for the forwardable ticket. The client typically gives up and removes the GSS_C_DELEG_FLAG flag and continues without passing delegated credentials. Administrators can use this to disable possible delegation for the most privileged accounts (e.g. administrator accounts). Upon the initial logon procedure however, both Samba 4.5.12 and Windows 7 clients will actually give up and not continue asking for a non-forwardable TGT, which means that the user will be locked out. Testing with Wireshark on another AD with one Windows 2008 R2 DC showed that the DC ignored the forwardable flag on AS-REQ and the user logged in normally having a non-forwardable TGT. All subsequent TGS requests on the same logon session from a Windows 7 client didn't have the forwardable flag set. Should I fill a bug for that, request to be added on Samba wiki or am I doing something wrong? Thank you in advance, Antonios Kalkakos
Roy Eastwood
2018-Jan-06 12:10 UTC
[Samba] Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
FWIW same applies to a domain with DCs running on Samba 4.7.4 and Windows 7 client.> -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Antonios > Kalkakos via samba > Sent: 06 January 2018 11:11 > To: samba at lists.samba.org > Subject: [Samba] Account is sensitive and cannot be delegated > (userAccountControl NOT_DELEGATED flag 0x00100000) > > I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and Heimdal > Kerberos 7.1.0 packages are installed from Debian repositories. Management is > done from MS-RSAT installed on a Windows 7 Pro client. > > When I select the option "Account is sensitive and cannot be delegated" (in > Active Directory Users and Computers under the Account tab) for a user account > regardless of its privileges, the user cannot logon on any client PC. Windows 7 > responds "Logon failure: user account restriction. Possible reasons are blank > passwords are not allowed, logon hour restrictions, or a policy restriction has > been enforced" and a Debian Stretch client responds "You are not allowed to > logon from this workstation". The Samba DC will provide a non-forwardable TGT, > if you ask for it with kinit -F command from the Linux client. Issuing the command > kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". > > Investigation with Wireshark showed that after receiving an AS-REQ for a TGT > with the forwardable flag set, the Samba 4.5.12 DC responds a > KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as > kinit -f). This behavior is correct according to CVE-2016-2125 > (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: > > 0x00100000: UF_NOT_DELEGATED: > The UF_NOT_DELEGATED can be used to disable the ability to get forwardable > TGT > for the account. It means the KDC will respond with an error if the client asks > for the forwardable ticket. The client typically gives up and removes the > GSS_C_DELEG_FLAG flag and continues without passing delegated credentials. > Administrators can use this to disable possible delegation for the most > privileged accounts (e.g. administrator accounts). > > Upon the initial logon procedure however, both Samba 4.5.12 and Windows 7 > clients will actually give up and not continue asking for a non-forwardable TGT, > which means that the user will be locked out. > > Testing with Wireshark on another AD with one Windows 2008 R2 DC showed > that the DC ignored the forwardable flag on AS-REQ and the user logged in > normally having a non-forwardable TGT. All subsequent TGS requests on the > same logon session from a Windows 7 client didn't have the forwardable flag set. > > Should I fill a bug for that, request to be added on Samba wiki or am I doing > something wrong? > > Thank you in advance, > Antonios Kalkakos > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Jan-06 12:29 UTC
[Samba] Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
On Sat, 6 Jan 2018 11:11:22 +0000 Antonios Kalkakos via samba <samba at lists.samba.org> wrote:> I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and > Heimdal Kerberos 7.1.0 packages are installed from Debian > repositories. Management is done from MS-RSAT installed on a Windows > 7 Pro client. >What Heimdal Kerberos packages have you installed on the DCs ? Client or Server ? If the later, remove them, Samba ships with its own kerberos server. Rowland
Antonios Kalkakos
2018-Jan-06 12:58 UTC
[Samba] Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
On 6/1/2018 14:29, Rowland Penny via samba wrote: What Heimdal Kerberos packages have you installed on the DCs ? Client or Server ? If the later, remove them, Samba ships with its own kerberos server. Rowland Only the package heimdal-clients which provides the kinit, klist and kdestroy and its dependencies. Server packages such as heimdal-kdc, heimdal-servers are not installed.
Andrew Bartlett
2018-Jan-06 21:55 UTC
[Samba] Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
On Sat, 2018-01-06 at 11:11 +0000, Antonios Kalkakos via samba wrote:> I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and Heimdal Kerberos 7.1.0 packages are installed from Debian repositories. Management is done from MS-RSAT installed on a Windows 7 Pro client. > > When I select the option "Account is sensitive and cannot be delegated" (in Active Directory Users and Computers under the Account tab) for a user account regardless of its privileges, the user cannot logon on any client PC. Windows 7 responds "Logon failure: user account restriction. Possible reasons are blank passwords are not allowed, logon hour restrictions, or a policy restriction has been enforced" and a Debian Stretch client responds "You are not allowed to logon from this workstation". The Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F command from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". > > Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: > > 0x00100000: UF_NOT_DELEGATED: > The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT > for the account. It means the KDC will respond with an error if the client asks > for the forwardable ticket. The client typically gives up and removes the > GSS_C_DELEG_FLAG flag and continues without passing delegated credentials. > Administrators can use this to disable possible delegation for the most > privileged accounts (e.g. administrator accounts). > > Upon the initial logon procedure however, both Samba 4.5.12 and Windows 7 clients will actually give up and not continue asking for a non-forwardable TGT, which means that the user will be locked out. > > Testing with Wireshark on another AD with one Windows 2008 R2 DC showed that the DC ignored the forwardable flag on AS-REQ and the user logged in normally having a non-forwardable TGT. All subsequent TGS requests on the same logon session from a Windows 7 client didn't have the forwardable flag set. > > Should I fill a bug for that, request to be added on Samba wiki or am I doing something wrong?Yes, please file a bug. Clearly we need a test for this. (Regarding Rowland's point, the Heimdal package on Debian won't actually be used by the Samba 4.5 package). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Antonios Kalkakos
2018-Jan-31 16:15 UTC
[Samba] Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
On 6/1/2018 23:55, Andrew Bartlett wrote:> On Sat, 2018-01-06 at 11:11 +0000, Antonios Kalkakos via samba wrote: >> I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and Heimdal Kerberos 7.1.0 packages are installed from Debian repositories. Management is done from MS-RSAT installed on a Windows 7 Pro client. >> >> When I select the option "Account is sensitive and cannot be delegated" (in Active Directory Users and Computers under the Account tab) for a user account regardless of its privileges, the user cannot logon on any client PC. Windows 7 responds "Logon failure: user account restriction. Possible reasons are blank passwords are not allowed, logon hour restrictions, or a policy restriction has been enforced" and a Debian Stretch client responds "You are not allowed to logon from this workstation". The Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F command from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable". >> >> Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states: >> >> 0x00100000: UF_NOT_DELEGATED: >> The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT >> for the account. It means the KDC will respond with an error if the client asks >> for the forwardable ticket. The client typically gives up and removes the >> GSS_C_DELEG_FLAG flag and continues without passing delegated credentials. >> Administrators can use this to disable possible delegation for the most >> privileged accounts (e.g. administrator accounts). >> >> Upon the initial logon procedure however, both Samba 4.5.12 and Windows 7 clients will actually give up and not continue asking for a non-forwardable TGT, which means that the user will be locked out. >> >> Testing with Wireshark on another AD with one Windows 2008 R2 DC showed that the DC ignored the forwardable flag on AS-REQ and the user logged in normally having a non-forwardable TGT. All subsequent TGS requests on the same logon session from a Windows 7 client didn't have the forwardable flag set. >> >> Should I fill a bug for that, request to be added on Samba wiki or am I doing something wrong? > Yes, please file a bug. Clearly we need a test for this. > > (Regarding Rowland's point, the Heimdal package on Debian won't > actually be used by the Samba 4.5 package). > > Andrew BartlettI have filled Bug 13205 with a proposed patch. It also affects Samba versions 4.7.4 and 4.8.0rc2.
Apparently Analagous Threads
- Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
- Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
- Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
- Anonymous
- [PATCH] Getting AFS tokens from a GSSAPI-delegated TGT