eUPN and Kerberos PAC issues

Stefan (metze) Metzmacher metze at samba.org
Thu Mar 12 03:55:56 MDT 2015 

Am 12.03.2015 um 09:05 schrieb Stefan (metze) Metzmacher:
> Hi Andrew,
> 
>>>> I noticed it only because the PAC in the AS-REP and referral ticket where
>>>> generated by a Windows 2012R2 KDC and the samba/heimdal kdc
>>>> fails to verify the PAC in the TGS-REQ.
>>>>
>>>> I'll have a look at the patches later, thanks!
>>>>
>>>> metze
>>>>
>>>
>>> Thanks.  It seems I broke samba4.local.pac, so I'll investigate that
>>> tomorrow if it isn't obvious to you.
>>
>> This showed up that we got things wrong in our old PAC-creation code,
>> and made me think about UPN and samAccountName values with spaces in
>> them.  The attached patches fixes these cases as well.
>>
>> Attached is the whole series.  Please review/push when you are able.
> 
> Pushed with minor whitespace fixes
> and splitting/reordering some patches.

Ok, this fails like this:

Domain=[SAMBADOMAIN] OS=[Windows 6.1] Server=[Samba
4.3.0pre1-DEVELOPERBUILD]
You are not root, most things won't work
ERR: (No such object) "No such Base DN:
cn=testallowed,cn=users,DC=SAMBA,DC=EXAMPLE,DC=COM" on DN
cn=testallowed,cn=users,DC=SAMBA,DC=EXAMPLE,DC=COM at block before line 5
ERR: (No such object) "No such Base DN:
cn=testallowed,cn=users,DC=SAMBA,DC=EXAMPLE,DC=COM" on DN
cn=testallowed,cn=users,DC=SAMBA,DC=EXAMPLE,DC=COM at block before line 7
ERR: (No such object) "No such Base DN:
cn=testdenied,cn=users,DC=SAMBA,DC=EXAMPLE,DC=COM" on DN
cn=testdenied,cn=users,DC=SAMBA,DC=EXAMPLE,DC=COM at block before line 5
Could not find machine account in secrets database: Failed to fetch
machine account password for SAMBADOMAIN from both secrets.ldb (Could
not find entry to match filter:
'(&(flatname=SAMBADOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary
Domains': No such object: (null)) and from
/memdisk/metze/a/b9658/samba/bin/ab/s4member/private/secrets.tdb:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(exception): Failed to add members "test allowed" to group "Allowed
RODC Password Replication Group" - Unable to find "test allowed".
Operation cancelled.
  File "bin/python/samba/netcmd/group.py", line 227, in run
    add_members_operation=True)
  File "bin/python/samba/samdb.py", line 274, in add_remove_group_members
    raise Exception('Unable to find "%s". Operation cancelled.' % member)
Unable to add 'test allowed' user to 'Allowed RODC Password Replication
Group':
./bin/samba-tool group addmembers
--configfile=/memdisk/metze/a/b9658/samba/bin/ab/s4member/etc/smb.conf
'Allowed RODC Password Replication Group' test\ allowed
failed to start up environment 's4member' at
/memdisk/metze/a/b9658/samba/selftest/target/Samba.pm line 49.
samba can't start up known environment 's4member' at
/memdisk/metze/a/b9658/samba/selftest/selftest.pl line 852.


I've repushed the patches without whitespace handling.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/2f5be758/attachment.pgp>

More information about the samba-technical mailing list