[PATCH] winbind interface to extract SIDs from PAC

Andrew Bartlett abartlet at samba.org
Fri Aug 10 15:32:41 MDT 2012 

On Fri, 2012-08-10 at 11:12 -0700, Christof Schmitt wrote:
> christof.schmitt at us.ibm.com wrote on 08/01/2012 10:30:32 AM:
> > christof.schmitt at us.ibm.com wrote on 07/30/2012 11:22:42 AM:
> > > 
> > > I cleaned up the error handling a bit. The second patch changes the
> > > level of a debug message to avoid this output with log level 1:
> > > 
> > > [2012/07/30 19:56:27.389822,  1] ../auth/kerberos/kerberos_pac.c:326
> > > (kerberos_decode_pac)
> > >   PAC Decode: Failed to verify the service signature: Decrypt 
> integrity 
> > check failed
> > 
> > Sorry for the noise. This update patch fixes a small issue with memory
> > handling in wbc_pam.c: The provided PAC needs to be copied to new
> > memory so that the free() call does the same for
> > WBC_AUTH_USER_LEVEL_PAC and WBC_AUTH_USER_LEVEL_RESPONSE.
> 
> Ping!
> 
> Is this patch now acceptable? We have tested it internally and have
> not found problems. Who would push the patch to master?

This really needs some unit tests.  That way we can keep it working.

I know this might seem quite difficult, but there is a way to do it.   

What we need to do is very much like the RPC-PAC test, so I would
suggest extending that test to have an additional case that uses the
local (existing) machine account rather than creating one.  This would
then run against the 'member' environment in our selftest (and add
knownfail entries for the environments were the new test doesn't run
against an s3 winbindd, or put it in a new suite).

Like how this test feeds the PAC signature to the netlogon server for
verification, this would feed the whole blob.  The common credentials
layer can read the (s3) secrets.tdb, so it should be able to accept the
kerberos ticket, get the PAC and then both forward it on as well as do a
local parse.  That should allow you to then confirm all the details in
the reply. 

As to expanding the full token of SIDs, I'll try and implement that
myself on top of this and the NTLM codepath. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list