[PATCH] winbind interface to extract SIDs from PAC
Andrew Bartlett
abartlet at samba.org
Thu Aug 23 18:04:09 MDT 2012
On Fri, 2012-08-17 at 14:20 -0700, Christof Schmitt wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 08/10/2012 02:32:41 PM:
>
> > On Fri, 2012-08-10 at 11:12 -0700, Christof Schmitt wrote:
> > This really needs some unit tests. That way we can keep it working.
> >
> > I know this might seem quite difficult, but there is a way to do it.
> >
> > What we need to do is very much like the RPC-PAC test, so I would
> > suggest extending that test to have an additional case that uses the
> > local (existing) machine account rather than creating one. This would
> > then run against the 'member' environment in our selftest (and add
> > knownfail entries for the environments were the new test doesn't run
> > against an s3 winbindd, or put it in a new suite).
> >
> > Like how this test feeds the PAC signature to the netlogon server for
> > verification, this would feed the whole blob. The common credentials
> > layer can read the (s3) secrets.tdb, so it should be able to accept the
> > kerberos ticket, get the PAC and then both forward it on as well as do a
> > local parse. That should allow you to then confirm all the details in
> > the reply.
>
> I have been going through the smbtorture and libcli code, but i could
> not find a good way to obtain the ticket with the PAC. I might need
> some help to understand this part. smbtorture can take the flags
> --machine-pass -k yes to use the machine account and kerberos. What is
> the next step to get the ticket? Does the cli code put it in
> cli_credentials? Or would the testcase need to use the gensec_client
> calls?
This is the start of the test we worked on today.
It fails in Samba4's gssapi server, not being able to find the right
entry in the in-memory keytab. I'll try and sort that out if you don't
manage to.
Hopefully this gives you a much better idea what I was thinking of when
I started you on this wild goose chase ;-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-credentials-Ensure-realm-and-workstation-is-pre.patch
Type: text/x-patch
Size: 1988 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120824/2c9924d8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-torture-Add-start-of-a-test-to-confirm-winbindd-P.patch
Type: text/x-patch
Size: 8606 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120824/2c9924d8/attachment-0001.bin>
More information about the samba-technical
mailing list