New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSSD and Microsoft KB4586845 / CVE-2020-17049 #5408
Comments
Hi, please see discussion on freeipa-users about the issue. To cut is short there seems to be an issue with the current fix for CVE-2020-17049, see https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-20h2#1522msgdesc for details. I agree that this is currently not an SSSD issue. bye, |
Microsoft has released updates that should resolve this issue but to me it doesn't seem to be fixed. We have applied the fix to one of our domain controlelrs but I'm still not able to authenticate against it. I will try to leave and rejoin the domain against the patched domain controller to get a new keytab to see if it works then... I will share my results here if that is okay? Anyway, here is a list for the optional update and the different platforms.
|
Hi, yes, please share your results here. I guess most interesting would be the content of bye, |
If you do not see those 'optional updates' fixing the issue for you, please report it back to Microsoft as well. There is nothing yet we can fix on MIT Kerberos side, as far as I understand. |
@abbra: You are correct 😄 and of course I have reported it back to Microsoft via their Service Hub. In the meantime I have tried the re-join against our Active Directory to get a new keytab from the patched domain controller. I ensured that communication was only against this DC (iptables rules, adcli option to specify DC). When I again set the option to talk only to the un-patched/old DC it works also with the new keytab. I will report back when Microsoft responds. |
Hi, thanks for the feeback. I wonder if you can share some details at which step the ticket validation fails? Although I agree that a solution most probably should come from Microsoft I'd like to understand if maybe some fallback on the AD side triggered something which can be fixed on the Linux side, e.g. an encryption type currently not allowed by the client-side configuration. If you set
If you cannot share a sanitized version of krb5_child.log I wonder if you can say if:
Thanks. bye, |
sanitized-krb5_child_log-defunct-DC.txt I attached a sanitized krb5_child.log for the not working/patched DC.
Thanks! |
Hi, thanks, so it is already the TGS request with failed. Calling
on the command line should do the same steps as SSSD does and hence show the same bye, |
@sumit-bose I was able to reproduce with kinit/kvno and forwarded the information to MS. First feedback from MS: They suspect that our issue is related to the fact that the update containing CVE-2020-17049 is not consitently deployed across all DCs. I will reproduce the issue again and provide MS with more logs so they can verify. |
Hi, thanks for the feedback. Please let us know if there are further updates and feel free to ask if you or Microsoft need more details about the Linux client side. bye, |
Microsoft seems to have identified the described issue regarding their code implementation for addressing CVE-2020-17049. Summary: All OOB patches must be deployed to all production DCs and then a workaround has to be implemented. Here is the info from my current support request: =================================== The request completely fails with the following signature rather than returning a tgs without a pac.
The signature above indicates that the Unix client is unable to acquire a service ticket because the code in CVE-2020-17049 is failing. This is a different failure the previous signature where Unix clients fail to request a new signature when unable to renew existing service tickets not marked as renewable Workaround: OR Set the UF_NO_AUTH_DATA_REQUIRED 0x02000000 in UserAccountControl for the principal that is the client for the service ticket (i.e. the Lixux computer in the case that triggered this investigation / KB article). ==================================== |
Microsoft has released fix in their monthly rollup addressing the described issue: Windows Server 2012 R2 - KB4598285 - https://support.microsoft.com/en-us/help/4598285/windows-8-1-update We will test it next week but I'm confident that it will resolve the issue 😄 |
The above Patch-Rollup finally fixed the issue 😃 |
Hi @schindlerd, thanks a lot for letting us know about your progress and documenting the required updates. bye, |
Hi,
We have a basic SSSD setup running on some of our Oralce Linux 7 machines to provide AD-authenticated access via SSH for example. After Microsofts Monthly Rollup KB4586845 being applied to our DCs (adressing CVE-2020-17049) it is no longer possible to gain system access via SSH with AD credentials. Only if I set "ad_server =" to a DC not having the MS patch installed it works again.
Is anyone else experiencing such issues after applying KB4586845?
I assume that this is not really an SSSD issue but more of a kerberos issue as such effects are also seen when using keytab in combination with Apache mod_auth_kerb for example.
Thanks in advance and kind regards,
Daniel
https://support.microsoft.com/de-de/help/4586845/windows-8-1-update
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17049
The text was updated successfully, but these errors were encountered: