[PATCH] Kerberos PAC verification (and use) for samba 3

Arup Biswas abiswas at pillardata.com
Tue Sep 20 21:28:46 GMT 2005


Our attempt to parse the PAC_LOGON_INFO indicated that the "Extra SID" array
is present only if UserFlag contains the flag for LOGON_EXTRA_SIDS. It seems
you parse
the extra sid array without this condition. Am I missing something? Could
you correctly parse the PAC without that condition?

-Arup Biswas
"Guenther Deschner" <gd at samba.org> wrote in message
news:20050916235404.GA22928 at mthelena.suse.de...

a new (and hopefully last version) of that patch.

On Sat, Sep 10, 2005 at 03:30:08AM +1000, Andrew Bartlett wrote:
> On Fri, 2005-09-09 at 18:30 +0200, Guenther Deschner wrote:
> > Hi,
> >
> > attached is a reworked patch that allows to build correcter NT Tokens
> > Samba3 as a domain member in security=ads using a validated Kerberos PAC
> > (thanks to the tremendous work happening in Samba4).
> > Any feedback would be very welcome :)
> A few things I noticed:
> As per my mail to the list a couple of days ago, the handling of the
> signatures in the PAC as fixed 16 byte quantities is our bug.

Ok, I think I fixed that in my new version (although quite different as
done in Samba4 :)

> Watch your copyrights on the large lumps of 'glue' code.

Uff, I tried my best. As you have the best overview of how did what: did I
got it right?

> See if you can use the header from the netlogon pipe for the info3
> portion of the PAC (rather than duplicating the members in authdata.h).

Tried that (needed to embed three uint32 in the info3 though). But I agree
with you that this is better then two times the same structs.

> You (and we) should handle the case where the AD-IF-RELEVANT contents is
> not of type 128 (ie, we should have some other bit of data that is in
> this extension field), as well as when the first authdata element isn't
> AD-IF-RELEVANT at all.


Currently I'm researching why resource groups get into the extra_sids
array (instead of the ressource group array). Anyone ever seen SIDs being
put in the resource groups-array inside a PAC? I just can't trigger the
Windows KDC to do that.

Andrew, anything more to deal with?

Jerry, this currently only applies to 3_0 (since trunk gets rewritten
on a weekly basis :).


Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE LINUX                       gd at suse.de
Samba Team                              gd at samba.org

More information about the samba-technical mailing list