fix(add-rbcd): use SDDL/0xF01FF to fix KDC_ERR_BADOPTION on S4U2Proxy#146
Open
0xGunrunner wants to merge 1 commit into
Open
fix(add-rbcd): use SDDL/0xF01FF to fix KDC_ERR_BADOPTION on S4U2Proxy#1460xGunrunner wants to merge 1 commit into
0xGunrunner wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The original
add-rbcdBOF writes a security descriptor tomsDS-AllowedToActOnBehalfOfOtherIdentityusingGENERIC_ALL (0x10000000)as the ACE access mask. This causes S4U2Proxy to silently fail withKDC_ERR_BADOPTION(error 13) on every delegation attempt. The failure is non-obvious because the LDAP write succeeds, the attribute is present on the target, and the BOF's own verification reports the principal SID is in the DACL — RBCD appears configured but delegation never works. The workaround was to always fall back to Impacket'srbcd.pyinstead.The root cause is that
GENERIC_ALLis a generic right that requires expansion via the object type's generic mapping atAccessChecktime. The KDC's internal S4U2Proxy evaluation does not perform this expansion — it checks the stored SD directly against specific AD rights bits, so0x10000000matches nothing and the check fails. This fix replaces the manual SD construction pipeline (CreateNewDaclWithAce→MakeSelfRelativeSD) with a singleConvertStringSecurityDescriptorToSecurityDescriptorAcall using SDDLO:BAD:(A;;0xF01FF;;;SID).0xF01FFis the full set of specific AD rights includingADS_RIGHT_DS_CONTROL_ACCESS (0x100)— the right the KDC actually evaluates — and matches what Impacket writes.The rewrite also makes the BOF fully self-contained, removing the dependency on
ldap_common.candacl_common.cwhich had their own issues with the SD construction path. There is one intentional behaviour change: this version usesLDAP_MOD_REPLACEand overwrites the entire attribute rather than merging into the existing DACL. For most use cases this is fine, but worth noting if the target already has delegations that need to be preserved.