On Mon, Nov 16, 2020 at 10:48 AM Luke Hebert <lheb...@cloudera.com> wrote:
> We've just started encountering problems at customer sites with > Kerberos enabled clients as a result of how Microsoft appears to be > approaching CVE-2020-17049 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The > details on this CVE are slim on Mitre and there is a small amount of > additional information on the microsoft portal. I thought I'd ask > the list what their thoughts are on what is being done here. > Disabling service ticket and tgt renewability is not great and it > obviously breaks long running processes that rely on renewability of > these items. I believe we are being bitten by this change as well. Here’s what we see. I perform an initial kinit, and request a renewable ticket: $ kinit usern...@example.org Password for usern...@example.org: As klist shows, the ticket is renewable: $ klist -f Ticket cache: KCM:2000:78917 Default principal: usern...@example.org Valid starting Expires Service principal 2020-11-13 13:15:57 2020-11-14 13:15:50 krbtgt/example....@example.org renew until 2020-11-20 13:15:50, Flags: FRIA Decoding the Flags field: +------+------------------+ | flag | meaning | +------+------------------+ | F | Forwardable | | R | Renewable | | I | Initial | | A | preAuthenticated | +------+------------------+ But attempting to renew this ticket throws an error: $ kinit -R kinit: KDC can't fulfill requested option while renewing credentials From packet tracing, the TGS-REQ packet contains the following options: kdc-options: 40800002 .1.. .... = forwardable: True 1... .... = renewable: True .... ..1. = renew: True This is exactly what a renewal request should contain: a renew request (renew: True) using a non-expired renewable ticket (renewable: True). But the reply from the server is KRB-ERROR, and contains: krb-error msg-type: krb-error (30) error-code: eRR-BADOPTION (13) Curiously, we have multiple AD realms, and not all of them show this problem, despite the fact that our Windows admins assert that all realms received the Microsoft updates that contain the fix for CVE-2020-17049. I’ve asked our Windows admins to enumerate what the PerformTicketSignature registry keys are set to for all of our DCs, for all realms. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos