eUPN and Kerberos PAC issues
Andrew Bartlett
abartlet at samba.org
Thu Mar 12 14:08:50 MDT 2015
On Thu, 2015-03-12 at 11:06 +0100, Stefan (metze) Metzmacher wrote:
> Am 12.03.2015 um 10:28 schrieb Andrew Bartlett:
> > On Thu, 2015-03-12 at 09:05 +0100, Stefan (metze) Metzmacher wrote:
> >> Hi Andrew,
> >>
> >>>>> I noticed it only because the PAC in the AS-REP and referral ticket where
> >>>>> generated by a Windows 2012R2 KDC and the samba/heimdal kdc
> >>>>> fails to verify the PAC in the TGS-REQ.
> >>>>>
> >>>>> I'll have a look at the patches later, thanks!
> >>>>>
> >>>>> metze
> >>>>>
> >>>>
> >>>> Thanks. It seems I broke samba4.local.pac, so I'll investigate that
> >>>> tomorrow if it isn't obvious to you.
> >>>
> >>> This showed up that we got things wrong in our old PAC-creation code,
> >>> and made me think about UPN and samAccountName values with spaces in
> >>> them. The attached patches fixes these cases as well.
> >>>
> >>> Attached is the whole series. Please review/push when you are able.
> >>
> >> Pushed with minor whitespace fixes
> >> and splitting/reordering some patches.
> >
> > I don't see the additional tests in your autobuild. Are you planning on
> > pushing those later?
>
> There was a problem with the s4member env.
>
> I've fixed the bug, see
> https://git.samba.org/?p=metze/samba-autobuild/.git;a=commitdiff;h=272ab25b540f8e2a718fbdff5acc6e73798fc415
> and pushed everything.
Thank you so much for looking into this, and sorry for the bother!
I'm really pleased with how the KDC and our AD support is improving, and
being validated. Thanks for all your efforts in this area.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150313/46aa325d/attachment.pgp>
More information about the samba-technical
mailing list