[PATCH] winbind: Return error for failed PAC signature verification

Andrew Bartlett abartlet at samba.org
Mon May 5 17:03:08 MDT 2014 

On Mon, 2014-05-05 at 14:48 -0700, Christof Schmitt wrote:
> On Sat, May 03, 2014 at 05:23:05PM +1200, Andrew Bartlett wrote:
> > On Fri, 2014-05-02 at 14:54 -0700, Christof Schmitt wrote:
> > > This is a follow-up to the discussion from July last year
> > > (https://lists.samba.org/archive/samba-technical/2012-July/thread.html#85283).
> > > 
> > > While looking at the winbind interface to decode the PAC again, i
> > > started thinking if we need to return the failed PAC signature
> > > verification back to the caller. A client with a valid kerberos ticket
> > > could generate its own PAC and authenticate to an application using the
> > > winbind PAC interface. If winbind does not return the failed signature
> > > verification, then the application could rely on false data. Based on
> > > this, it seems that it is better to return an error instead of untrusted
> > > data.
> > 
> > Shouldn't this have been done by the library that extracted the PAC from
> > the ticket?  (In Samba, we rely on exactly that in the two gensec gssapi
> > modules).
> 
> That would be useful, i have to check how that could be done.

The gssapi_obtain_pac_blob code() in auth/kerberos/gssapi_pac.c shows
you how to do it.  

> > We can't check the PAC signature unless it used the same key we have in
> > winbindd.
> > 
> > Selecting the right key appears trivial at first, but is actually more
> > complex than it looks, and only the libkrb5 that did the
> > gss_accept_security_context() really knows, everyone else has to just
> > try all plausible keys. 
> 
> Yes, understood. The related issue i see is that there is no indication
> to the caller if the PAC information has been stored or not (according
> to the result of the signature verification). It would be useful to
> provide some status back to the caller. Failing the request with an
> error code is just a big hammer to do this.

Sounds reasonable, but I don't think it should fail.  I realise we need
the side-effect of loading the cache for the desired result (getting the
groups) to work.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list