[PATCH] skip asserted identity sids in token generation

Stefan Metzmacher metze at samba.org
Tue Feb 9 06:56:49 UTC 2016


Hi Günther,

can you please comment on my mail from ~3 weeks ago (see below)
before starting to backport patches...

Thanks!
metze
>> The S-1-18-1 (Authentication authority asserted identity) is typically
>> part of the PAC validation info3 from Windows Server 2012 and should
>> be omitted for the token calculation as it remains as an unmapped group.
> 
> I'm wondering if this is really the correct place to handle this.
> 
> Wouldn't create_local_token() be the correct place to skip this?
> That's the place where we create the unix_token. I'm
> also wondering if this isn't handled in master already.
> create_local_nt_token_from_info3() seems to ignore unmapped
> sids already. I think I've tested master (4.3) against a windows 2012
> domain a few month ago.
> 
> As we support full NT ACL when using the acl_xattr module
> and we should evaluate all sids there and not filtering out
> some before. E.g. there's a reason why these sids are added by Windows 2012.
> And we should be able to deny access for S4U2Self tickets.
> 
> metze
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160209/b23abb33/signature.sig>


More information about the samba-technical mailing list