[PATCH] Kerberos PAC verification (and use) for samba 3
Jeremy Allison
jra at samba.org
Mon Sep 12 16:53:42 GMT 2005
On Fri, Sep 09, 2005 at 06:30:49PM +0200, Guenther Deschner wrote:
> Hi,
>
> attached is a reworked patch that allows to build correcter NT Tokens for
> Samba3 as a domain member in security=ads using a validated Kerberos PAC
> (thanks to the tremendous work happening in Samba4).
>
> I've tested the patch both with
>
> use kerberos keytab = yes and
> use kerberos keytab = no
>
> using:
> Heimdal 0.6.1rc3 (as on SLES9)
> Heimdal 0.7
> MIT Kerberos 1.4
> MIT Kerberos 1.4.2
>
> against a Windows 2003 SP1 KDC
>
> Making this to work within the compatibility layer has been an enormous
> pain.
>
> The last remaining items on my list are:
>
> * trying to get rid to decode the rd_req twice when in "use kerberos
> keytab = yes"-mode (on the other hand: parsing it just once will
> cause quite more ifdefed functions)
>
> * validate the logon username (add required principal-name routines)
>
> * get rid of one newly invented mem-leak (I got rid of others)
>
> Any feedback would be very welcome :)
This looks nice - once the memleak is fixed :-).
Jeremy.
More information about the samba-technical
mailing list