[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName

Andrew Bartlett abartlet at samba.org
Thu Feb 17 03:34:42 MST 2011

On Thu, 2011-02-17 at 10:38 +0100, Angelos Oikonomopoulos wrote:
> On 02/16/2011 10:39 PM, Andrew Bartlett wrote:
> > On Wed, 2011-02-16 at 17:07 +0100, Angelos Oikonomopoulos wrote:
> [...]
> >> Now I'm not absolutely sure this will not create subtle bugs, so I'm
> >> posting it here for review. I'd gladly create and/or test a more robust
> >> patch (for instance the second hunk assumes that if we have the
> >> logon_info data, then the account name will be valid, which I'm not sure
> >> is always the case. Other code in the same function e.g. checks that
> >> logon_info->info3.base.domain.string is not NULL).
> >
> > As far as I'm aware, logon_info->info3.base.domain.string will always be
> > non-NULL in a PAC.  From memory, the docs claim it could be NULL in a
> > netlogon reply from NT4 servers at one point.  (And such checks tend to
> > be copied about).
> Is defending against a malicious domain controller something that makes 
> sense? Presumably a malicious DC can issue and use domain administrator 
> tickets, which should allow it to instruct samba to do pretty much 
> anything. But for all I know, such tickets may not be all-powerful, in 
> which case it makes sense to defend against malformed PACs.

Sure, don't crash, just don't try and do anything useful (ie just error

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list