[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName

Angelos Oikonomopoulos angelos.oikonomopoulos at fp-commerce.de
Thu Feb 17 02:38:04 MST 2011


On 02/16/2011 10:39 PM, Andrew Bartlett wrote:
> On Wed, 2011-02-16 at 17:07 +0100, Angelos Oikonomopoulos wrote:
[...]
>> Now I'm not absolutely sure this will not create subtle bugs, so I'm
>> posting it here for review. I'd gladly create and/or test a more robust
>> patch (for instance the second hunk assumes that if we have the
>> logon_info data, then the account name will be valid, which I'm not sure
>> is always the case. Other code in the same function e.g. checks that
>> logon_info->info3.base.domain.string is not NULL).
>
> As far as I'm aware, logon_info->info3.base.domain.string will always be
> non-NULL in a PAC.  From memory, the docs claim it could be NULL in a
> netlogon reply from NT4 servers at one point.  (And such checks tend to
> be copied about).

Is defending against a malicious domain controller something that makes 
sense? Presumably a malicious DC can issue and use domain administrator 
tickets, which should allow it to instruct samba to do pretty much 
anything. But for all I know, such tickets may not be all-powerful, in 
which case it makes sense to defend against malformed PACs.

Thanks,
Aggelos


More information about the samba-technical mailing list