PAC parsing in Samba 4.1
Stefan (metze) Metzmacher
metze at samba.org
Thu Aug 1 00:31:18 MDT 2013
Am 31.07.2013 23:54, schrieb Andrew Bartlett:
> On Tue, 2013-07-30 at 08:12 -0400, simo wrote:
>> On Tue, 2013-07-30 at 15:13 +1200, Andrew Bartlett wrote:
>>> On Thu, 2013-07-25 at 20:08 +0100, Tris Mabbs wrote:
>>>> Good day, one and all ...
>>>>
>>>> I just had to rebuild our main Samba server ("OpenSlowlaris" ->
>>>> "Slowlaris 11.11"), during which I put the latest (at the time;
>>>> currently 4.2.0pre1-GIT-b505111) Samba4 on there. I thought that by
>>>> now that Gunther's speculative changes to improve the PAC decode might
>>>> have made their way into the trunk revision - obviously I was wrong,
>>>> as I'm once again getting a load of "Can't parse the PAC:
>>>> NT_STATUS_BUFFER_TOO_SMALL" messages and a user who can't access any
>>>> Samba shares.
>>>>
>>>> Whoops ...
>>>>
>>>> So as we previously discussed looking into things in more detail
>>>> (specifically finding out why there is no "client_principal" being
>>>> passed into "kerberos_decode_pac()"), but nothing else ever happened,
>>>> is there anything I can do to assist in getting the improved PAC
>>>> decoding included into the trunk revision? Whilst I can't guarantee
>>>> immediate responses to any request, I'm quite happy to stick any code
>>>> in anywhere you might want if you don't mind potentially waiting a day
>>>> or so for the results :-)
>>>
>>> GD:
>>>
>>> What happened about your code here? Can I merge your patch?
>>>
>>> I see two branches in your git repo:
>>> http://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac_type12
>>> http://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac
>>>
>>> Are either of these ready for merging?
>>>
>>> Simo:
>>>
>>> If these are not ready, can we revert your change, as this is a
>>> regression in 4.1 vs 4.0?
>>
>> What is the regression exactly ?
>> We use this code in FreeIPA w/o issues, and removing it would break
>> FreeIPA.
>>
>> Simo.
>
> It causes a reproducible segfault for every kerberos login (for a
> particular user) for Tris Mabbs (CC'ed) that we were able to bisect down
> to this patch:
>
>>> commit a6be8a97f705247c1b1cbb0595887d8924740a71
>>> Author: Simo Sorce <idra at samba.org>
>>> Date: Thu Sep 27 14:12:06 2012 -0400
>>>
>>> Support UPN_DNS_INFO in the PAC
>>>
>>> Previously marked as UNKNOWN_12 the UPN_DNS_INFO is defined in
>>> MS-PAC
>>>
>>> Autobuild-User(master): Simo Sorce <idra at samba.org>
>>> Autobuild-Date(master): Fri Sep 28 01:13:44 CEST 2012 on
>>> sn-devel-104
>>>
>>> Thanks,
>>>
>>> Andrew Bartlett
>>>
>
> The failing PAC for feeding into ndrdump is available, and Tris agreed
> to contribute it as a test case once we fix this.
Here's what Günther and I were working on
https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-gd
or
https://gitweb.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac_type12
But as far as I remember we weren't able to get any of this grough
autobuild.
I'm trying it again now...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130801/e7421113/attachment.pgp>
More information about the samba-technical
mailing list