[PATCH] Kerberos PAC verification (and use) for samba 3

Arup Biswas abiswas at pillardata.com
Tue Sep 20 22:55:55 GMT 2005 

<Currently I'm researching why resource groups get into the extra_sids
<array (instead of the ressource group array). Anyone ever seen SIDs being
<put in the resource groups-array inside a PAC? I just can't trigger the
<Windows KDC to do that.

Maybe, this is because you are not adding the following condition as
discussed in my last post?

if (userFlags & LOGON_EXTRA_SIDS)
    parse_extra_sids();

Thanks,
-Arup Biswas

"Arup Biswas" <abiswas at pillardata.com> wrote in message
news:dgpuuh$q7j$1 at sea.gmane.org...
> Hi,
>
> Our attempt to parse the PAC_LOGON_INFO indicated that the "Extra SID"
array
> is present only if UserFlag contains the flag for LOGON_EXTRA_SIDS. It
seems
> you parse
> the extra sid array without this condition. Am I missing something? Could
> you correctly parse the PAC without that condition?
>
> Thanks,
> -Arup Biswas
> "Guenther Deschner" <gd at samba.org> wrote in message
> news:20050916235404.GA22928 at mthelena.suse.de...
> Hi,
>
> a new (and hopefully last version) of that patch.
>
> On Sat, Sep 10, 2005 at 03:30:08AM +1000, Andrew Bartlett wrote:
> > On Fri, 2005-09-09 at 18:30 +0200, Guenther Deschner wrote:
> > > Hi,
> > >
> > > attached is a reworked patch that allows to build correcter NT Tokens
> for
> > > Samba3 as a domain member in security=ads using a validated Kerberos
PAC
> > > (thanks to the tremendous work happening in Samba4).
> >
> > > Any feedback would be very welcome :)
> >
> > A few things I noticed:
> >
> > As per my mail to the list a couple of days ago, the handling of the
> > signatures in the PAC as fixed 16 byte quantities is our bug.
>
> Ok, I think I fixed that in my new version (although quite different as
> done in Samba4 :)
>
> > Watch your copyrights on the large lumps of 'glue' code.
>
> Uff, I tried my best. As you have the best overview of how did what: did I
> got it right?
>
> > See if you can use the header from the netlogon pipe for the info3
> > portion of the PAC (rather than duplicating the members in authdata.h).
>
> Tried that (needed to embed three uint32 in the info3 though). But I agree
> with you that this is better then two times the same structs.
>
> > You (and we) should handle the case where the AD-IF-RELEVANT contents is
> > not of type 128 (ie, we should have some other bit of data that is in
> > this extension field), as well as when the first authdata element isn't
> > AD-IF-RELEVANT at all.
>
> Done.
>
> Currently I'm researching why resource groups get into the extra_sids
> array (instead of the ressource group array). Anyone ever seen SIDs being
> put in the resource groups-array inside a PAC? I just can't trigger the
> Windows KDC to do that.
>
> Andrew, anything more to deal with?
>
> Jerry, this currently only applies to 3_0 (since trunk gets rewritten
> on a weekly basis :).
>
> Cheers,
> Guenther
>
> -- 
> Günther Deschner                    GPG-ID: 8EE11688
> Novell / SUSE LINUX                       gd at suse.de
> Samba Team                              gd at samba.org
>
>
>
>

More information about the samba-technical mailing list