PAC parsing in Samba 4.1

Andrew Bartlett abartlet at samba.org
Mon Aug 12 20:28:43 MDT 2013 

On Thu, 2013-08-01 at 08:31 +0200, Stefan (metze) Metzmacher wrote:
> Am 31.07.2013 23:54, schrieb Andrew Bartlett:
> > On Tue, 2013-07-30 at 08:12 -0400, simo wrote:
> >> On Tue, 2013-07-30 at 15:13 +1200, Andrew Bartlett wrote:
> >>> On Thu, 2013-07-25 at 20:08 +0100, Tris Mabbs wrote:
> >>>> Good day, one and all ...
> >>>>
> >>>> I just had to rebuild our main Samba server ("OpenSlowlaris" ->
> >>>> "Slowlaris 11.11"), during which I put the latest (at the time;
> >>>> currently 4.2.0pre1-GIT-b505111) Samba4 on there.  I thought that by
> >>>> now that Gunther's speculative changes to improve the PAC decode might
> >>>> have made their way into the trunk revision - obviously I was wrong,
> >>>> as I'm once again getting a load of "Can't parse the PAC:
> >>>> NT_STATUS_BUFFER_TOO_SMALL" messages and a user who can't access any
> >>>> Samba shares.
> >>>>
> >>>> Whoops ...
> >>>>
> >>>> So as we previously discussed looking into things in more detail
> >>>> (specifically finding out why there is no "client_principal" being
> >>>> passed into "kerberos_decode_pac()"), but nothing else ever happened,
> >>>> is there anything I can do to assist in getting the improved PAC
> >>>> decoding included into the trunk revision?  Whilst I can't guarantee
> >>>> immediate responses to any request, I'm quite happy to stick any code
> >>>> in anywhere you might want if you don't mind potentially waiting a day
> >>>> or so for the results :-)
> >>>
> >>> GD:
> >>>
> >>> What happened about your code here?  Can I merge your patch?
> >>>
> >>> I see two branches in your git repo:
> >>> http://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac_type12
> >>> http://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac
> >>>
> >>> Are either of these ready for merging?
> >>>
> >>> Simo:
> >>>
> >>> If these are not ready, can we revert your change, as this is a
> >>> regression in 4.1 vs 4.0?
> >>
> >> What is the regression exactly ?
> >> We use this code in FreeIPA w/o issues, and removing it would break
> >> FreeIPA.
> >>
> >> Simo.
> > 
> > It causes a reproducible segfault for every kerberos login (for a
> > particular user) for Tris Mabbs (CC'ed) that we were able to bisect down
> > to this patch:
> > 
> >>> commit a6be8a97f705247c1b1cbb0595887d8924740a71
> >>> Author: Simo Sorce <idra at samba.org>
> >>> Date:   Thu Sep 27 14:12:06 2012 -0400
> >>>
> >>>     Support UPN_DNS_INFO in the PAC
> >>>     
> >>>     Previously marked as UNKNOWN_12 the UPN_DNS_INFO is defined in
> >>> MS-PAC
> >>>     
> >>>     Autobuild-User(master): Simo Sorce <idra at samba.org>
> >>>     Autobuild-Date(master): Fri Sep 28 01:13:44 CEST 2012 on
> >>> sn-devel-104
> >>>
> >>> Thanks,
> >>>
> >>> Andrew Bartlett
> >>>
> > 
> > The failing PAC for feeding into ndrdump is available, and Tris agreed
> > to contribute it as a test case once we fix this. 
> 
> Here's what Günther and I were working on
> 
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-gd
> or
> https://gitweb.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac_type12
> 
> But as far as I remember we weren't able to get any of this grough
> autobuild.
> I'm trying it again now...

I'm assuming you had no success?  What was the failure?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba-technical mailing list