[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName
Andrew Bartlett
abartlet at samba.org
Thu Feb 17 03:34:42 MST 2011
On Thu, 2011-02-17 at 10:38 +0100, Angelos Oikonomopoulos wrote:
> On 02/16/2011 10:39 PM, Andrew Bartlett wrote:
> > On Wed, 2011-02-16 at 17:07 +0100, Angelos Oikonomopoulos wrote:
> [...]
> >> Now I'm not absolutely sure this will not create subtle bugs, so I'm
> >> posting it here for review. I'd gladly create and/or test a more robust
> >> patch (for instance the second hunk assumes that if we have the
> >> logon_info data, then the account name will be valid, which I'm not sure
> >> is always the case. Other code in the same function e.g. checks that
> >> logon_info->info3.base.domain.string is not NULL).
> >
> > As far as I'm aware, logon_info->info3.base.domain.string will always be
> > non-NULL in a PAC. From memory, the docs claim it could be NULL in a
> > netlogon reply from NT4 servers at one point. (And such checks tend to
> > be copied about).
>
> Is defending against a malicious domain controller something that makes
> sense? Presumably a malicious DC can issue and use domain administrator
> tickets, which should allow it to instruct samba to do pretty much
> anything. But for all I know, such tickets may not be all-powerful, in
> which case it makes sense to defend against malformed PACs.
Sure, don't crash, just don't try and do anything useful (ie just error
out with INVALID_PARAMETER).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list