AllowedWorkstationNames and Krb5

Microsoft uses the clientAddresses *multiple value* field in the krb5
protocol (particularly the AS_REQ) to communicate it's netbios name.
This is (my guess) to permit the userWorkstations field to work.

The KDC I imagine checks the netbios address against this value, in
the same way that the Samba server does this.

The checking of this implies a little of the next question:

Is a DAL the layer we need?

Looking at what we need to pass around, I start to seriously wonder if
the DAL is even the right layer - we seem to want to create an account
authorization abstraction layer - is this account permitted to login to
this computer, at this time?

This information in AD is much richer than the Heimdal HDB, and it
seems to make sense to do AD-specific access control checks in an
AD-specific layer, not in the back-end agnostic server.

Because the DAL only reads in the principalName as the key, it has
trouble performing access control decisions on things other than the

I'll be very interested if the DAL really works for eDirectory too.
Perhaps all we need to do is add in the same kludges as we have in
Samba 3.0 for eDirectory.  Hmm...

That said, the current layer provides us with a very good start, and
any redefinition would occour from that basis.

GSSAPI layer requirements

Welcome to the wonderful world of canonicalisation

The MIT GSSAPI libs do not support kinit returning a different
realm to what the client asked for, even just in case differences.

Heimdal has the same problem, and this applies to the krb5 layer, not
just gssapi.

We need to test if the canonicalisation is controlled by the KDCOption
flags, windows always sends the Canonicalize flags

Old Clients (samba3 and HPUX clients) uses 'selfmade' gssapi/krb5
for using it in the CIFS session setup. Because they use krb5_mk_req()
they get a chksum field depending on the encryption type, but that's wrong
for GSSAPI (see rfc 1964 section 1.1.1). The Cheksum type 8003
should be used in the Authenticator of the AP-REQ! That allows the channel bindings,
the GCC_C_* req_flags and optional delegation tickets to be passed from the client to the server.
Hower windows doesn't seems to care about if the checksum is of the wrong type,
for CIFS SessionSetups, it seems that the req_flags are just set to 0.
So this can't work for LDAP connections with sign or seal, or for any DCERPC

So we need to also support old clients!

Principal Names, long and short names

As far as servicePrincipalNames are concerned, these are not
canonicalised, except as regards the realm in the reply.  That is, the
client gets back the principal it asked for, with the realm portion
'fixed' to uppercase, long form.  

The short name of the realm seems to be accepted for at least AS_REQ
operations, but because the server performs canonicalisation, this
causes pain for current client libraries. 

The canonicalisation of names matters not only for the KDC, but also
for code that has to deal with keytabs.

HOST/ Aliases

There is another post somewhere (ref lost for the moment) that details
where in active directory the list of stored aliases for HOST/ is.
This should be read, parsed and used to allow any of these requests to
use the HOST/ key.

For example, this is how HTTP/, DNS/ and CIFS/ can use HOST/ without
any explicit entry. reminds me:

> This is the SPNMappings attribute in Active Directory:


We implement this in hdb-ldb.

Returned Salt for PreAuthentication

When the server replies for pre-authentication, it returns the Salt,
which may be in the form of a principalName that is in no way
connected with the current names.  (ie, even if the userPrincipalName
and samAccountName are renamed, the old salt is returned).

This is probably the kerberos standard salt, kept in the 'Key'.  The
standard generation rules are found in a Mail from Luke Howard dated
10 Nov 2004:

From: Luke Howard <>
Message-Id: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Organization: PADL Software Pty Ltd
Date: Wed, 10 Nov 2004 13:31:21 +1100
Versions: dmail (bsd44) 2.6d/makemail 2.10
Subject: Re: Samba-3.0.7-1.3E Active Directory Issues
X-Mailman-Version: 2.1.4
Precedence: list

Did some more testing, it appears the behaviour has another
explanation. It appears that the standard Kerberos password salt
algorithm is applied in Windows 2003, just that the source principal
name is different.

Here is what I've been able to deduce from creating a bunch of
different accounts:

Type of account		Principal for Salting
Computer Account                host/<SAM-Name-Without-$>.realm@REALM
User Account Without UPN        <SAM-Name>@REALM
User Account With UPN           <LHS-Of-UPN>@REALM

Note that if the computer account's SAM account name does not include
the trailing '$', then the entire SAM account name is used as input to
the salting principal. Setting a UPN for a computer account has no

It seems to me odd that the RHS of the UPN is not used in the salting
principal. For example, a user with UPN in the realm
MYREALM.COM would have a salt of MYREALM.COMfoo. Perhaps this is to
allow a user's UPN suffix to be changed without changing the salt. And
perhaps using the UPN for salting signifies a move away SAM names and
their associated constraints.

For more information on how UPNs relate to the Kerberos protocol,

-- Luke


Heimdal oddities

Heimdal is built such that it should be able to serve multiple realms
at the same time.  This isn't relevant for Samba's use, but it shows
up in a lot of generalisations throughout the code.

State Machine safety

Samba is a giant state machine, and as such have very different
requirements to those traditionally expressed for kerberos and GSSAPI

Samba requires all of the libraries it uses to be state machine safe in
their use of internal data.  This does not mean thread safe, and an
application could be thread safe, but not state machine safe (if it
instead used thread-local variables).

So, what does it mean for a library to be state machine safe?  This is
mostly a question of context, and how the library manages whatever
internal state machines it has.  If the library uses a context
variable, passed in by the caller, which contains all the information
about the current state of the library, then it is safe.  An example
of this state is the sequence number and session keys for an ongoing
encrypted session).

The other issue affecting state machines is 'blocking' (waiting for a
read on a network socket).  

Heimdal has this 'state machine safety' in parts, and we have modified
the lorikeet branch to improve this behviour, when using a new,
non-standard API.  

Heimdal uses a per-context variable for the 'krb5_auth_context', which
controls the ongoing encrypted connection, but does use global
variables for the ubiquitous krb5_context parameter.  

The modification that has added most to 'state machine safety' of
GSSAPI is the addition of the gsskrb5_acquire_creds function.  This
allows the caller to specify a keytab and ccache, for use by the
GSSAPI code.  Therefore there is no need to use global variables to
communicate this information. 

At a more theoritical level (simply counting static and global
variables) Heimdal is not state machine safe for the GSSAPI layer.
The Krb5 layer alone is much closer, as far as I can tell, blocking
excepted. .

To deal with blocking, we could have a fork()ed child per context,
using the 'GSSAPI export context' function to transfer
the GSSAPI state back into the main code for the wrap()/unwrap() part
of the operation.  This will still hit issues of static storage (one
gss_krb5_context per process, and multiple GSSAPI encrypted sessions
at a time) but these may not matter in practice.

GSSAPI and Kerberos extensions

This is a general list of the other extensions we have made to / need from
the kerberos libraries


 - gsskrb5_get_initiator_subkey() (return the opposite key to what the
   lucid context and get_subkey() calls return).

 - gsskrb5_get_authz_data()

 - gsskrb5_acquire_creds() (takes keytab and/or ccache as input
   parameters, see keytab and state machine discussion)

Keytab requirements

Because windows machine account handling is very different to the
tranditional 'MIT' keytab operation.  This starts when we look at the
basis of the secrets handling:

Traditional 'MIT' behaviour is to use a keytab, continaing salted key
data, extracted from the KDC.  (In this modal, there is no 'service
password', instead the keys are often simply application of random
bytes).  Heimdal also implements this behaviour.

The windows modal is very different - instead of sharing a keytab with
each member server, a password is stored for the whole machine.  The
password is set with non-kerberos mechanisms (particularly SAMR, a
DCE-RPC service) and when interacting on a kerberos basis, the
password is salted by the client.  (That is, no salt infromation
appears to be convayed from the KDC to the member).

In dealing with this modal, the traditional file keytab seems
outmoded, because it is not the primary source of the keys, and as
such we have replaced it with an IN-MEMORY keytab.  This avoids Samba4
needing to deal with system files for it's internal operation.  (We
will however forward-port parts of Samba3's net ads keytab, for the
benifit of other applications).

When dealing with a windows KDC, the behaviour regarding case
sensitivity and canonacolisation must be accomidated.  This means that
an incoming request to a member server may have a wide variety of
service principal names.  These include:

machine$@REALM (samba clients)
HOST/ (win2k clients)
HOST/foo@realm (win2k clients, using netbios)
cifs/ (winxp clients)
cifs/foo@realm (winxp clients, using netbios)

as well as all case variations on the above.  

Because that all got 'too hard' to put into a keytab (and because we
still wanted to supply a keytab to the GSSAPI code), a 'wildcard'
keytab was devised.  MEMORY_WILDCARD: is much like MEMORY:, except it
only matches on kvno, rather than on the principal name.

Extra Heimdal functions used
(an attempt to list some of the Heimdal-specific functions I know we use)


KDC Extensions

We have modified Heimdal's 'hdb' interface to specify the 'type' of
Principal being requested.  This allows us to correctly behave with
the different 'classes' of Principal name. 

We currently define 2 classes:
 - client (kinit)
 - server (tgt)

I also now specify the kerberos principal as an explict parameter, not
an in/out value on the entry itself.

Inside hdb-ldb, we add krbtgt as a special class of principal, because
of particular special-case backend requirements.


Samba4 needs to be built as a single binary (design requirement), and
this should include the KDC.  Samba also (and perhaps more
importantly) needs to control the configuration environment of the

The interface we have defined for libkdc allow for packet injection
into the post-socket layer, with a defined krb5_context and
kdb5_kdc_configuration structure.  These effectively redirect the
kerberos warnings, logging and database calls as we require.

Using our socket lib

An important detail in the use of libkdc is that we use our own socket
lib.  This allows the KDC code to be as portable as the rest of samba
(this cuts both ways), but far more importantly it ensures a
consistancy in the handling of requests, binding to sockets etc.

To handle TCP, we will use of our socket layer in much the same way as
we deal with TCP for CIFS.  Tridge has promised this generalisation.

Kerberos logging support

Samba now (optionally in the main code, required for the KDC) uses the
krb5_log_facility from Heimdal.  This allows us to redirect the
warnings and status from the KDC (and client/server kerberos code) to
Samba's DEBUG() system.

Similarly important is the Heimdal-specific krb5_get_error_string()
function, which does a lot to reduce the 'administrator pain' level,
by providing specific, english text-string error messages instead of
just error code translations.