[PATCH] winbind: Return error for failed PAC signature verification

Andrew Bartlett abartlet at samba.org
Fri May 2 23:23:05 MDT 2014


On Fri, 2014-05-02 at 14:54 -0700, Christof Schmitt wrote:
> This is a follow-up to the discussion from July last year
> (https://lists.samba.org/archive/samba-technical/2012-July/thread.html#85283).
> 
> While looking at the winbind interface to decode the PAC again, i
> started thinking if we need to return the failed PAC signature
> verification back to the caller. A client with a valid kerberos ticket
> could generate its own PAC and authenticate to an application using the
> winbind PAC interface. If winbind does not return the failed signature
> verification, then the application could rely on false data. Based on
> this, it seems that it is better to return an error instead of untrusted
> data.

Shouldn't this have been done by the library that extracted the PAC from
the ticket?  (In Samba, we rely on exactly that in the two gensec gssapi
modules).

We can't check the PAC signature unless it used the same key we have in
winbindd.

Selecting the right key appears trivial at first, but is actually more
complex than it looks, and only the libkrb5 that did the
gss_accept_security_context() really knows, everyone else has to just
try all plausible keys. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list