[Samba] RE: Delegation of authentication (S4U) and SAMBA

Todd Stecher todd.stecher at isilon.com
Wed Feb 20 21:58:19 GMT 2008 

 From my readings, only the Heimdahl Kerberos distribution has S4USelf  
support, at least in the Samba 4 code base.  MIT tries to stay away  
from being PAC-cognizent.


It sounds like you're trying to do something slightly different - e.g.  
Constrained Delegation, where the identity lives in the PAC, and not  
in the ticket.  There are additional security considerations which  
come into play when relying simply on the PAC, since anyone can put a  
PAC into a service ticket with a custom codebase - you can easily get  
into cases of identity theft if you also don't verify the second  
(KRBTGT HMAC of the server signature) signature in the PAC.

I can't say much more than that, unfortunately, but I wanted to point  
out the ease of escalation of privs unless the other security  
mechanisms are evaluated before trusting the PAC's principal.

Todd

On Feb 20, 2008, at 12:49 PM, Andrew Bartlett wrote:

>
> On Tue, 2008-02-12 at 12:15 -0800, Ephi Dror wrote:
>> Hello,
>>
>>
>>
>> Does samba support the use of S4U?
>>
>>
>>
>> What do we need to configure in SAMBA or krb5 to support getting a
>> ticket obtained by S4U.  We are using 3.0.25 and krb5-1.4.1
>>
>>
>>
>> We are getting the following error:
>>
>>
>>
>> decode_pac_data: Name in PAC [username at something1.something2.realmname 
>> ]
>> does not match principal name in ticket
>>
>>
>>
>> The ticket could be different than the PAC name because the ticket  
>> was
>> obtained using S4U extension.
>
> As you have found out, the code does not currently allow this.
>
> Now that we are using the PAC, it shouldn't be too hard for you to
> change things so that instead of requiring the two strings does to
> match, it takes the PAC in precedence (if available).
>
> I suggest raising this on samba-technical
>
> Andrew Bartlett
>
> -- 
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Red Hat Inc.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

Todd Stecher | Windows Interop Dev
Isilon Systems    P +1-206-315-7500     F  +1-206-315-7501
www.isilon.com    D +1-206-315-7638    M +1-425-205-1180

More information about the samba mailing list