[MS-BKRP] backupkey server and GnuTLS
Andreas Schneider
asn at samba.org
Thu Nov 26 15:55:31 UTC 2015
On Friday 20 November 2015 10:44:04 Andrew Bartlett wrote:
> > So I hope you can explain the testing procedures you used ...
>
> This is what we did (we used libvirt snapshot VMs):
>
> - Take a Dec 2014 patched Windows 8.1 machine that has never, ever been
> joined to the domain
>
> - Join to the domain
>
> - Log in as administrator
>
> - Open Credentials Manager (part of control panel, can be searched for)
>
> - If it gives an error, then there is an issue, if it opens correctly
> you are OK.
Hi Andrew,
I've tested with Windows 8.1 and fixed the remaining bugs. After I identified
the remaining issues, I've improved the torture test. It doesn't only validate
the RSA key bits but also the rest of the cert. I run the test against Windows
2012 to fine tune it.
You can find the patchset for review here:
https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-rpc-bkrp
That we are completely using GnuTLS you need version 3.4.7. This version
offers gnutls_x509_crt_set_issuer_unique_id(). I check for this symbol and if
found we only build the backupkey server using GnuTLS. If not the certificate
self signing part still uses Heimdal.
The top commit is an additional torture test which only works against Windows
and backupkey built with GnuTLS 3.4.7.
Attached shows that Windows 8.1 Credentials Manager is working.
Please review and push!
Thanks,
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: backupkey.png
Type: image/png
Size: 549030 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151126/96dc4095/backupkey-0001.png>
More information about the samba-technical
mailing list