Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)

> -----Original Message-----
> From: samba [mailto:[hidden email]] On Behalf Of Antonios
> Kalkakos via samba
> Sent: 06 January 2018 11:11
> To: [hidden email]
> Subject: [Samba] Account is sensitive and cannot be delegated
> (userAccountControl NOT_DELEGATED flag 0x00100000)
>
> I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and Heimdal
> Kerberos 7.1.0 packages are installed from Debian repositories. Management is
> done from MS-RSAT installed on a Windows 7 Pro client.
>
> When I select the option "Account is sensitive and cannot be delegated" (in
> Active Directory Users and Computers under the Account tab) for a user account
> regardless of its privileges, the user cannot logon on any client PC. Windows 7
> responds "Logon failure: user account restriction. Possible reasons are blank
> passwords are not allowed, logon hour restrictions, or a policy restriction has
> been enforced" and a Debian Stretch client responds "You are not allowed to
> logon from this workstation". The Samba DC will provide a non-forwardable TGT,
> if you ask for it with kinit -F command from the Linux client. Issuing the command
> kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable".
>
> Investigation with Wireshark showed that after receiving an AS-REQ for a TGT
> with the forwardable flag set, the Samba 4.5.12 DC responds a
> KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as
> kinit -f). This behavior is correct according to CVE-2016-2125
> (https://www.samba.org/samba/security/CVE-2016-2125.html) which states:
>
> 0x00100000: UF_NOT_DELEGATED:
> The UF_NOT_DELEGATED can be used to disable the ability to get forwardable
> TGT
> for the account. It means the KDC will respond with an error if the client asks
> for the forwardable ticket.  The client typically gives up and removes the
> GSS_C_DELEG_FLAG flag and continues without passing delegated credentials.
> Administrators can use this to disable possible delegation for the most
> privileged accounts (e.g. administrator accounts).
>
> Upon the initial logon procedure however, both Samba 4.5.12 and Windows 7
> clients will actually give up and not continue asking for a non-forwardable TGT,
> which means that the user will be locked out.
>
> Testing with Wireshark on another AD with one Windows 2008 R2 DC showed
> that the DC ignored the forwardable flag on AS-REQ and the user logged in
> normally having a non-forwardable TGT. All subsequent TGS requests on the
> same logon session from a Windows 7 client didn't have the forwardable flag set.
>
> Should I fill a bug for that, request to be added on Samba wiki or am I doing
> something wrong?
>
> Thank you in advance,
> Antonios Kalkakos
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

> I have an AD with two Debian Stretch Samba 4.5.12 DCs. The Samba and Heimdal Kerberos 7.1.0 packages are installed from Debian repositories. Management is done from MS-RSAT installed on a Windows 7 Pro client.
>
> When I select the option "Account is sensitive and cannot be delegated" (in Active Directory Users and Computers under the Account tab) for a user account regardless of its privileges, the user cannot logon on any client PC. Windows 7 responds "Logon failure: user account restriction. Possible reasons are blank passwords are not allowed, logon hour restrictions, or a policy restriction has been enforced" and a Debian Stretch client responds "You are not allowed to logon from this workstation". The Samba DC will provide a non-forwardable TGT, if you ask for it with kinit -F command from the Linux client. Issuing the command kinit -f will again fail with "krb5_get_init_creds: Ticket may not be forwardable".
>
> Investigation with Wireshark showed that after receiving an AS-REQ for a TGT with the forwardable flag set, the Samba 4.5.12 DC responds a KRB5KDC_ERR_POLICY with e-text "Ticket may not be forwardabale" (same as kinit -f). This behavior is correct according to CVE-2016-2125 (https://www.samba.org/samba/security/CVE-2016-2125.html) which states:
>
> 0x00100000: UF_NOT_DELEGATED:
> The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT
> for the account. It means the KDC will respond with an error if the client asks
> for the forwardable ticket.  The client typically gives up and removes the
> GSS_C_DELEG_FLAG flag and continues without passing delegated credentials.
> Administrators can use this to disable possible delegation for the most
> privileged accounts (e.g. administrator accounts).
>
> Upon the initial logon procedure however, both Samba 4.5.12 and Windows 7 clients will actually give up and not continue asking for a non-forwardable TGT, which means that the user will be locked out.
>
> Testing with Wireshark on another AD with one Windows 2008 R2 DC showed that the DC ignored the forwardable flag on AS-REQ and the user logged in normally having a non-forwardable TGT. All subsequent TGS requests on the same logon session from a Windows 7 client didn't have the forwardable flag set.
>
> Should I fill a bug for that, request to be added on Samba wiki or am I doing something wrong?