-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8272162: S4U2Self ticket without forwardable flag #6082
Conversation
8272162: S4U2Self ticket without forwardable flag
👋 Welcome back weijun! A progress list of the required criteria for merging this PR into |
Hi Max, Thanks for making this contribution. I see the problem that we are addressing here, and the trade-off between the proposed approach and the complexity of locating a DS_BEHAVIOR_WIN2012 DC. I'm okay overall with the decision made. A few minor comments or suggestions:
Otherwise, looks good to me. Thanks, |
I see what you mean. I'll go through them.
Good idea.
Sorry, missed it.
That's right. Although the content of the original array argument could be modified, the caller has not used it. In fact, changing it from array to a normal object makes me feel relieved. I always needed to remind myself that this was not meant to be an '[out]' parameter.
I don't know.
That's what I asked you about a more precise way to ensure a cred is a S4U2self one. I thought about stuff the
Thanks.
|
Hi @martinuy, I looked at the variable names. Some can be named |
This would be tricky. The problem is that the 'cname' and 'crealm' in the S4U2Self ticket are the user's ones; so indistinguishable from the non-S4U2Self. The 'sname' and 'srealm' are also equal: the middle service principal. I'm not sure if there are any differences in the PAC. Even when it's a bit 'ugly', storing the 'type' looks like a reliable scheme in my opinion. But the question that concerns me most is if we really want to make such a tight check, or we are willing to forward everything. I'd suggest to keep your proposal as it is now in this regard. Meanwhile, I'll check what the MIT client does and let you know if there is anything that we to consider. |
|
Alexey said their customer has at least 50 KDCs. It will be quite a waste of time if we go through each of them and get a KDC_ERR_BADOPTION all the time. Therefore I would like this retry to be as restricted as possible.
Unfortunately we cannot call them I've pushed a new commit for everything I've tried on. |
Oops, I introduced a bug. At the end of the constructor of |
Hi @wangweij , Yes, I see the concern about the 50 KDCs scenario. But one nuance here: having different AD behaviors with issued tickets that won't be accepted in other services afterwards looks to me like a configuration problem that goes beyond OpenJDK. Now, if we cannot distinguish between S4U2Self and non-S4U2Self second tickets based on their actual data, it's likely that the KDC behaves in the same way when it comes to the forwardable flag -both in 2012 DC and after-. That would be a reason not to establish any difference in OpenJDK and behave in the same way. This official documentation here [1] makes no distinction between the two types: "The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set (see Service 1 in the figure specifying Kerberos delegation with forwarded TGT, section 1.3.3). This ticket can be obtained through an S4U2self protocol exchange." If we are concerned about this, why don't we let the user decide the behavior by means of a security/system property? That would also mitigate the risk of assuming that a KDC_ERR_BADOPTION error is always because of a non-forwardable ticket on a 2012 DC -which looks quite an assumption to me-. Thanks, |
First, my latest commit contains a mechanism to tell if a ticket is from S4U2self. Is it significant enough to change your mind? Even if there is a system property for this purpose (suppose it's named We usually introduce a system property for a compatibility reason so that existing normal cases will not behave differently, but here, we are simply trying to resurrect a former failure. The main problem I see with the current approach is still about whether a "tolerant" KDC can be accessed in time. If this can be optimized by adjusting the orders of KDC either in krb5.conf or in the DNS response, then I would be greatly relieved. |
Hi @wangweij , I liked the renaming that you proposed, including the 'ccreds -> middleTGT' change. I find it easier to reason about now. There is still a 'ccreds' in CredentialsUtil::acquireS4U2proxyCreds that you might want to check. In regards to 'type' -and assuming that we want to keep that check-, can we re-use the CredentialsUtil::S4U2Type enum type? I'm fine if you want to move the enum location to Credentials.java. I'm not sure that we are resurrecting an old failure. My understanding is that the new KrbException exception (in KdcComm::sendIfPossible) is causing a behavioral change in the sense that it's now allowing KDC iteration, and there is no way to go back to the old fail-immediately behavior. The property would be to avoid iterating over the 50 KDCs after the first failure; or it could be to not even try if the ticket is non-forwardable. In that sense, the property's name would be something like 'jdk.security.krb5.s4u2proxy.acceptNonForwardableServiceTicket'. My second concern is that the condition that we use to iterate might be beyond the forwardable flag scope, because we are now based on a KDC_ERR_BADOPTION error. I personally wouldn't make any distinction between S4U2Self and non-S4U2Self second tickets when it comes to the second ticket forwardable flag. |
That Other comments accepted. I'll add a system property. |
/csr |
@wangweij has indicated that a compatibility and specification (CSR) request is needed for this pull request. |
Hi @wangweij , Thanks for taking the backward-compatibility property suggestion. I went through all the changes again and have some comments / questions:
"The S4U2proxy Kerberos extension enables a middle service to obtain a service ticket to another service on behalf of a user. It requires that the user service ticket to the middle service has the forwardable flag set [1]. However, some implementations ignore this requirement and accept service tickets with the flag unset. If this security property is set to "true", then
The default value is "false". If a system property of the same name is also specified, it supersedes the security property value defined here. [1] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/bde93b0e-f3c9-4ddf-9f44-e1453be7af5a Thanks, |
All suggestions accepted, except that I still write out the full name for S4U2proxy in For the |
Hi @wangweij Thanks for considering my suggestions. I agree with removing the 'forwardable middle service TGT' requirement from S4U2Self. This looks good to me. Note: I'm not an official JDK Reviewer so you'll need someone else to have a look. Martin.- |
String uRealm = user.getRealmString(); | ||
String localRealm = ccreds.getClient().getRealmString(); | ||
String localRealm = middleTGT.getClient().getRealmString(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: can just use sname on line 64?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure.
Webrevs
|
@@ -64,6 +66,10 @@ | |||
static boolean alreadyLoaded = false; | |||
private static boolean alreadyTried = false; | |||
|
|||
public final static boolean S4U2PROXY_ACCEPT_NON_FORWARDABLE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: swap to use "static final"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Thanks, Valerie
@wangweij This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 175 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
/integrate |
Going to push as commit ab867f6.
Your commit was automatically rebased without conflicts. |
The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set, but some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.
There are 2 commits now. The 1st is a refactoring that sends more info into the methods (Ex:
KdcComm::send(byte[])
->KdcComm::send(KrbKdcReq)
, andTicket
->Credentials
in multiple places) so that insideKdcComm::send
there is enough info to decide how to deal with various errors. The 2nd is the actual fix to this issue, i.e. ignore the flag and retry another KDC.Progress
Issues
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6082/head:pull/6082
$ git checkout pull/6082
Update a local copy of the PR:
$ git checkout pull/6082
$ git pull https://git.openjdk.java.net/jdk pull/6082/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 6082
View PR using the GUI difftool:
$ git pr show -t 6082
Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6082.diff