[PATCH] winbind interface to extract SIDs from PAC

Christof Schmitt christof.schmitt at us.ibm.com
Wed Aug 1 11:30:32 MDT 2012


christof.schmitt at us.ibm.com wrote on 07/30/2012 11:22:42 AM:
> christof.schmitt at us.ibm.com wrote on 07/26/2012 02:33:45 PM:
> > Here is an updated version of the winbind interface. It now tries to
> > verify the PAC signatures. If the verification succeeds, the
> > information from the PAC is stored in the netlogon_cache. The info3 is
> > always returned to the client, independent of the verification result.
> 
> I cleaned up the error handling a bit. The second patch changes the
> level of a debug message to avoid this output with log level 1:
> 
> [2012/07/30 19:56:27.389822,  1] ../auth/kerberos/kerberos_pac.c:326
> (kerberos_decode_pac)
>   PAC Decode: Failed to verify the service signature: Decrypt integrity 
check failed

Sorry for the noise. This update patch fixes a small issue with memory
handling in wbc_pam.c: The provided PAC needs to be copied to new
memory so that the free() call does the same for
WBC_AUTH_USER_LEVEL_PAC and WBC_AUTH_USER_LEVEL_RESPONSE.

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-winbind-Extend-wbcAuthenticateUserEx-to-provide-PAC.patch
Type: application/octet-stream
Size: 11166 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120801/1fc1f25c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-auth-kerberos-Adjust-log-level-for-failed-PAC-signat.patch
Type: application/octet-stream
Size: 1032 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120801/1fc1f25c/attachment-0001.obj>


More information about the samba-technical mailing list