[PATCH] Kerberos PAC verification (and use) for samba 3

Andrew Bartlett abartlet at samba.org
Sat Sep 17 00:08:35 GMT 2005 

On Sat, 2005-09-17 at 01:54 +0200, Guenther Deschner wrote:
> Hi,
> 
> a new (and hopefully last version) of that patch.

You wish :-)

> On Sat, Sep 10, 2005 at 03:30:08AM +1000, Andrew Bartlett wrote:
> > On Fri, 2005-09-09 at 18:30 +0200, Guenther Deschner wrote:
> > > Hi,
> > > 
> > > attached is a reworked patch that allows to build correcter NT Tokens for
> > > Samba3 as a domain member in security=ads using a validated Kerberos PAC
> > > (thanks to the tremendous work happening in Samba4).
> > 
> > > Any feedback would be very welcome :)
> > 
> > A few things I noticed:
> > 
> > As per my mail to the list a couple of days ago, the handling of the
> > signatures in the PAC as fixed 16 byte quantities is our bug.
> 
> Ok, I think I fixed that in my new version (although quite different as
> done in Samba4 :)

This was pretty much the approach that metze was proposing to me, so
it's considered quite reasonable. 

> > See if you can use the header from the netlogon pipe for the info3
> > portion of the PAC (rather than duplicating the members in authdata.h).
> 
> Tried that (needed to embed three uint32 in the info3 though). But I agree
> with you that this is better then two times the same structs.

You can't do a substruct in Samba3?

> > You (and we) should handle the case where the AD-IF-RELEVANT contents is
> > not of type 128 (ie, we should have some other bit of data that is in
> > this extension field), as well as when the first authdata element isn't
> > AD-IF-RELEVANT at all.
> 
> Done.

Almost.  In theory (and this is how the AD-IF-RELEVENT is meant to work)
we could have other types inside the IF-RELEVENT, and we should keep
looking down the list for the first that is a PAC, not just the first.  

I'm going to try and deal with this inside the libs, because the
application shouldn't have to deal with this.

> Currently I'm researching why resource groups get into the extra_sids
> array (instead of the ressource group array). Anyone ever seen SIDs being
> put in the resource groups-array inside a PAC? I just can't trigger the
> Windows KDC to do that.
> 
> Andrew, anything more to deal with?

You are pretty close, as far as I can tell.  This is very good work, and
brings Samba3 a long way forward.  

> Jerry, this currently only applies to 3_0 (since trunk gets rewritten
> on a weekly basis :). 

:-)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050917/be594c4a/attachment.bin

More information about the samba-technical mailing list