Re: RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-05-04 Thread Weijun Wang 
Yes, please.

Thanks,
Max

> On May 5, 2020, at 11:58 AM, Martin Balao  wrote:
> 
> Hi Max,
> 
> On 3/30/20 5:24 PM, Martin Balao wrote:
>> 
>> CSR requested here: https://bugs.openjdk.java.net/browse/JDK-8241871
>> 
> 
> Now that the CSR has been approved, are we good to push?
> 
> Thanks,
> Martin.-
>

Re: RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-05-04 Thread Martin Balao 
Hi Max,

On 3/30/20 5:24 PM, Martin Balao wrote:
> 
> CSR requested here: https://bugs.openjdk.java.net/browse/JDK-8241871
> 

Now that the CSR has been approved, are we good to push?

Thanks,
Martin.-

Re: RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-03-31 Thread Weijun Wang 



> On Apr 1, 2020, at 8:22 AM, Martin Balao  wrote:
> 
> Hi Max,
> 
> Thanks for having a look at the CSR.
> 
> On 3/30/20 11:39 PM, Weijun Wang wrote:
>> 1. I don't think there is a need to talk about the java.security.krb5.conf 
>> system property, the krb5.conf file name is more popular.
>> 
> 
> Added a reference to the krb5.conf file in the first place. I wish we
> could keep a reference to the System property for completeness.

OK. I just want to emphasize that we are following MIT krb5 the reference 
implementation of krb5, but not inventing something new.

--Max

> 
>> 2. I'd rather always say "TGS requests" instead of "AP requests".
>> 
> 
> Changed. This also helped me to fix an AS/AP typo.
> 
> I set the target release to JDK-15.
> 
> Look forward to the CSR approval.
> 
> Thanks,
> Martin.-
>

Re: RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-03-31 Thread Martin Balao 
Hi Max,

Thanks for having a look at the CSR.

On 3/30/20 11:39 PM, Weijun Wang wrote:
> 1. I don't think there is a need to talk about the java.security.krb5.conf 
> system property, the krb5.conf file name is more popular.
> 

Added a reference to the krb5.conf file in the first place. I wish we
could keep a reference to the System property for completeness.

> 2. I'd rather always say "TGS requests" instead of "AP requests".
> 

Changed. This also helped me to fix an AS/AP typo.

I set the target release to JDK-15.

Look forward to the CSR approval.

Thanks,
Martin.-

Re: RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-03-30 Thread Weijun Wang 
1. I don't think there is a need to talk about the java.security.krb5.conf 
system property, the krb5.conf file name is more popular.

2. I'd rather always say "TGS requests" instead of "AP requests".

Thanks,
Max

> On Mar 31, 2020, at 4:24 AM, Martin Balao  wrote:
> 
> Hi Max,
> 
> CSR requested here: https://bugs.openjdk.java.net/browse/JDK-8241871
> 
> Look forward to your comments or approval there.
> 
> Thanks,
> Martin.-
>

Re: RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-03-30 Thread Martin Balao 
Hi Max,

CSR requested here: https://bugs.openjdk.java.net/browse/JDK-8241871

Look forward to your comments or approval there.

Thanks,
Martin.-

Re: RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-03-30 Thread Martin Balao 
Hi Max,

Thanks for having a look at this.

On 3/29/20 1:10 AM, Weijun Wang wrote:
>>  * Note: from a client side, sending an NT-ENTERPRISE cname means that
>> the cname can change in the response. Windows AD 2016, however, does not
>> change it unless 'canonicalize' flag is explicitly set in the request.
> 
> Sounds quite reasonable to me. This means "You might find info associated 
> with my other names, but please always call me by my original name".
> 

Yes, correct. In fact, Windows AD seems not to change the cname when an
NT-ENTERPRISE cname is sent and 'canonicalize' is false. AS referrals
keep working in this case.

However, it's more of a suggestion: if any other KDC decides to change
an NT-ENTERPRISE cname even when 'canonicalize' was false in the
request, we will handle that and move on (this is a bit off RFC 6806 as
'canonicalize' should have been true when sending an NT-ENTERPRISE).
That's what we -and the MIT client- mean with "NT-ENTERPRISE" implies
'canonicalize'.

Thanks,
Martin.-

Re: RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-03-28 Thread Weijun Wang 
The change looks good to me.

> On Mar 29, 2020, at 8:12 AM, Martin Balao  wrote:
> 
> * http://cr.openjdk.java.net/~mbalao/webrevs/8239385/8239385.webrev.00/
> ...

>  * Note: from a client side, sending an NT-ENTERPRISE cname means that
> the cname can change in the response. Windows AD 2016, however, does not
> change it unless 'canonicalize' flag is explicitly set in the request.

Sounds quite reasonable to me. This means "You might find info associated with 
my other names, but please always call me by my original name".

Thanks,
Max

RFR 8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD

2020-03-28 Thread Martin Balao 
Hi Max,

I'd like to propose a fix for 8239385 [1].

Webrev.00:

 * http://cr.openjdk.java.net/~mbalao/webrevs/8239385/8239385.webrev.00/

The goal behind these changes is to align the Kerberos client default
'canonicalize' behavior to the MIT's one -an analysis of the latter is
available at the end of this email for reference-. There are a couple of
reasons for that:

 1) many applications are not ready to deal with cname changes in their
authorization schemes, so the previous default behavior may be too
disruptive; and,

 2) old KDCs -such as Windows AD 2008- may change the cname when
'canonicalize' is sent from the client but do not include a ENC-PA-REP
flag (nor the associated data structure) in the response. Note: cname
changes without proper authentication should not be allowed.

This change set us apart from a strict interpretation of the RFC 6806
[2], but will enhance compatibility and should not pose a security risk.

Changes per file:

 * src/java.security.jgss/share/classes/sun/security/krb5/Config.java
  * When a krb5 configuration refresh happens, we need to update the
cached 'canonicalize' value stored in ReferralsState class. Same pattern
than for other krb5 configurations.

 *
src/java.security.jgss/share/classes/sun/security/krb5/KrbAsReqBuilder.java
  * Read and cache-store of krb5 'canonicalize' configuration value.
  * 'canonicalize' flag will be sent in AS-REQs only if set to true in
the krb5 configuration. false by default.
  * AS referrals allowed only if 'canonicalize' was sent or an
NT-ENTERPRISE cname was used
   * Usage of NT-ENTERPRISE implies 'canonicalize' (despite the actual
flag may not be set). This mimics the MIT client behavior.
* Note: OpenJDK will bring APIs for using NT-ENTERPRISE clients on a
separate enhancement.
  * If there is an unexpected KDC failure, the number of max referrals
has not been exceeded and 'canonicalize' was set, retry without it.
Given that we are not tightening 'canonicalize' to NT-ENTERPRISE (as we
would do in a strict interpretation of RFC 6806), we no longer need to
check that the cname type is different than NT-ENTERPRISE to retry.
  * Improved debug output and comments

 * src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java
  * When checking the AS-REP, the usage of an NT-ENTERPRISE cname is
considered equal to sending 'canonicalize' (same as in
KrbAsReqBuilder.java).
  * When checking ENC-PA-REP in line 141, 'canonicalize' is not
relevant: whether or not ENC-PA-REP is required in the KDC response has
been already checked before. In fact, 'canonicalize' may be not sent but
we require a ENC-PA-REP in the AS-REP because an NT-ENTERPRISE cname was
used and the cname was changed by the KDC.
   * Note: from a client side, sending an NT-ENTERPRISE cname means that
the cname can change in the response. Windows AD 2016, however, does not
change it unless 'canonicalize' flag is explicitly set in the request.
  * Improved comments

 * test/jdk/sun/security/krb5/auto/ReferralsTest.java
  * Test for the use-case in which 'canonicalize' is not set, and a
referral must fail. Contributed by Max (@weijun), with enhanced comments
and cleanup function.

Testing:

 * No regressions observed in jdk/sun/security/krb5
 * ReferralsTest extended to cover the new use case
 * No regressions found in my internal Windows AD 2016 environment

In parallel to this RFR, I'll initiate a CSR process to introduce the
"canonicalize" krb5 configuration (whose default value is 'false').

Thanks,
Martin.-

--
[1] - https://bugs.openjdk.java.net/browse/JDK-8239385
[2] - https://tools.ietf.org/html/rfc6806

--

MIT Kerberos client analysis

AS-REQs analysis


When requesting a TGT (through the AS protocol), CANONICALIZE flag is
set in the AS-REQ only if 'canonicalize' parameter or configuration
options are set [2] (false is the default value).

When receiving a KDC_ERR_WRONG_REALM referral response from a KDC, the
referral will be followed only if CANONICALIZE was set in the
corresponding AS-REQ or if the cname principal was of NT-ENTERPRISE type
[3] [4]. When analyzing the final AS-REP (after all referrals), there is
a check to enforce that either CANONICALIZE was set in the AS-REQ or the
client is a NT-ENTERPRISE principal (among other checks) [5].

kinit's documentation states that -E (for NT-ENTERPRISE principals)
implies CANONICALIZE. "Implies" does not mean that the CANONICALIZE flag
is set; only that referrals will be followed and cname changes are
accepted as if CANONICALIZE were set. In my observations, the Windows
2016 AD does not change the cname unless CANONICALIZE flag is explicitly
set in the AS-REQ.

In conclusion, referrals are followed only if 'canonicalize' is set or
if the cname is an NT-ENTERPRISE principal. Given that OpenJDK does not
currently support NT-ENTERPRISE principals in its user interface, the
MIT equivalent behavior would be to disable AS-REQ referrals by default
(when CANONICALIZE is not