Skip to content

fix(add-rbcd): use SDDL/0xF01FF to fix KDC_ERR_BADOPTION on S4U2Proxy#146

Open
0xGunrunner wants to merge 1 commit into
Adaptix-Framework:mainfrom
0xGunrunner:fix/add-rbcd-sddl-access-mask
Open

fix(add-rbcd): use SDDL/0xF01FF to fix KDC_ERR_BADOPTION on S4U2Proxy#146
0xGunrunner wants to merge 1 commit into
Adaptix-Framework:mainfrom
0xGunrunner:fix/add-rbcd-sddl-access-mask

Conversation

@0xGunrunner

Copy link
Copy Markdown

The original add-rbcd BOF writes a security descriptor to msDS-AllowedToActOnBehalfOfOtherIdentity using GENERIC_ALL (0x10000000) as the ACE access mask. This causes S4U2Proxy to silently fail with KDC_ERR_BADOPTION (error 13) on every delegation attempt. The failure is non-obvious because the LDAP write succeeds, the attribute is present on the target, and the BOF's own verification reports the principal SID is in the DACL — RBCD appears configured but delegation never works. The workaround was to always fall back to Impacket's rbcd.py instead.

The root cause is that GENERIC_ALL is a generic right that requires expansion via the object type's generic mapping at AccessCheck time. The KDC's internal S4U2Proxy evaluation does not perform this expansion — it checks the stored SD directly against specific AD rights bits, so 0x10000000 matches nothing and the check fails. This fix replaces the manual SD construction pipeline (CreateNewDaclWithAceMakeSelfRelativeSD) with a single ConvertStringSecurityDescriptorToSecurityDescriptorA call using SDDL O:BAD:(A;;0xF01FF;;;SID). 0xF01FF is the full set of specific AD rights including ADS_RIGHT_DS_CONTROL_ACCESS (0x100) — the right the KDC actually evaluates — and matches what Impacket writes.

The rewrite also makes the BOF fully self-contained, removing the dependency on ldap_common.c and acl_common.c which had their own issues with the SD construction path. There is one intentional behaviour change: this version uses LDAP_MOD_REPLACE and overwrites the entire attribute rather than merging into the existing DACL. For most use cases this is fine, but worth noting if the target already has delegations that need to be preserved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant