Salem's Euphoria

Sharing Experience

Do Not Require Kerberos Pre-Authentication, for users created by Ambari on AD

Leave a comment

 

Disclaimer:

Microsoft says that “Disabling Kerberos Pre-Authentication must not be disabled“. They argue that:

Without Kerberos Pre-Authentication a malicious attacker can directly send a dummy request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline. Upon checking the KDC logs, nothing will be seen except a single request for a TGT.

I don’t believe that pre-authentication adds any level of security as you can read in this nice article (section 3.1).

If an attacker is able to capture the preauthentication packets and wants to take the identity of a valid user, the attacker will need to perform the procedures that the KDC performs. The attacker will need to use the decryption procedure in the agreed upon encryption type and try running different passwords against the captured data. If it is successful then the attacker has the user’s password. The time required for this procedure is a function of the complexity of the password and the time it takes to decrypt a single password

So, if you decide to do it, you may act only on Your own behalf and on Your sole responsibility 😀 .

When you try to enable kerberos via Ambari, along with an AD, the administration tool suggests a template for users that it will create on AD. This is acheived remotely through ADKerberosOperationHandler on Ambari.

The default template for users creation is described by the field “Account Attribute template” on the Advanced krb5-conf item of the configuration accordeon.


{
"objectClass": ["top", "person", "organizationalPerson", "user"],
"cn": "$principal_name",
#if( $is_service )
"servicePrincipalName": "$principal_name",
#end
"userPrincipalName": "$normalized_principal",
"unicodePwd": "$password",
"accountExpires": "0",
"userAccountControl": "66048"
}

The field “userAccountControl” on the default template describes a user having the decimal ACL value 66048 (Hex=10200). This ACL holds only two properties : DONT_EXPIRE_PASSWORD and NORMAL_ACCOUNT. Actually, this ACL is the sum of a list of flags described by Microsoft here. The table below lists all the property flags along with their value in Hexa and in Decimal.

Property flag Value in hexadecimal Value in decimal
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the “Property flag descriptions” section.
0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
TRUSTED_FOR_DELEGATION 0x80000 524288
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216
PARTIAL_SECRETS_ACCOUNT 0x04000000 67108864

In order to create users with the flag “DONT_REQ_PREAUTH”, you need to sum the flags in decimal.

So the template ACL we need = NORMAL_ACCOUNT + DONT_EXPIRE_PASSWORD +DONT_REQ_PREAUTH

ACL = 512 + 65536 + 4194304 = 4260352

The new user template should be similar to :


{ "objectClass": ["top", "person", "organizationalPerson", "user"],
"cn": "$principal_name",
#if( $is_service )
"servicePrincipalName": "$principal_name",
#end
"userPrincipalName": "$normalized_principal",
"unicodePwd": "$password",
"accountExpires": "0",
"userAccountControl": "4660352" }

Actually, without this manipulation you may have the newly created users with kerberos pre-authentication disabled by default. This tightly related to the default enterprise security policy on AD.
In order to be sure to have the right user details, you may try this way.

Bonus!

If your “hostname” command and “hostname -f” command return different result, you may need to add both results to your /etc/hosts in this order to overcome Kerberos domain name resolution problems.

IP.X.X.X   shortName.fqdn.com shortName

 

Author: Salem Ben Afia

Big Data & Java developer Search Engine Architect, Lucene Expert

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.