[PATCH] winbind: Return error for failed PAC signature verification

Christof Schmitt cs at samba.org
Mon May 5 15:48:11 MDT 2014


On Sat, May 03, 2014 at 05:23:05PM +1200, Andrew Bartlett wrote:
> On Fri, 2014-05-02 at 14:54 -0700, Christof Schmitt wrote:
> > This is a follow-up to the discussion from July last year
> > (https://lists.samba.org/archive/samba-technical/2012-July/thread.html#85283).
> > 
> > While looking at the winbind interface to decode the PAC again, i
> > started thinking if we need to return the failed PAC signature
> > verification back to the caller. A client with a valid kerberos ticket
> > could generate its own PAC and authenticate to an application using the
> > winbind PAC interface. If winbind does not return the failed signature
> > verification, then the application could rely on false data. Based on
> > this, it seems that it is better to return an error instead of untrusted
> > data.
> 
> Shouldn't this have been done by the library that extracted the PAC from
> the ticket?  (In Samba, we rely on exactly that in the two gensec gssapi
> modules).

That would be useful, i have to check how that could be done.

> We can't check the PAC signature unless it used the same key we have in
> winbindd.
> 
> Selecting the right key appears trivial at first, but is actually more
> complex than it looks, and only the libkrb5 that did the
> gss_accept_security_context() really knows, everyone else has to just
> try all plausible keys. 

Yes, understood. The related issue i see is that there is no indication
to the caller if the PAC information has been stored or not (according
to the result of the signature verification). It would be useful to
provide some status back to the caller. Failing the request with an
error code is just a big hammer to do this.

Christof


More information about the samba-technical mailing list