[PATCH] skip asserted identity sids in token generation

Guenther Deschner gd at samba.org
Tue Feb 9 08:21:16 UTC 2016


Yep, I'll comment on that once I'm back in germany. 

Von meinem iPhone gesendet

> Am 09.02.2016 um 07:56 schrieb Stefan Metzmacher <metze at samba.org>:
> 
> Hi Günther,
> 
> can you please comment on my mail from ~3 weeks ago (see below)
> before starting to backport patches...
> 
> Thanks!
> metze
>>> The S-1-18-1 (Authentication authority asserted identity) is typically
>>> part of the PAC validation info3 from Windows Server 2012 and should
>>> be omitted for the token calculation as it remains as an unmapped group.
>> 
>> I'm wondering if this is really the correct place to handle this.
>> 
>> Wouldn't create_local_token() be the correct place to skip this?
>> That's the place where we create the unix_token. I'm
>> also wondering if this isn't handled in master already.
>> create_local_nt_token_from_info3() seems to ignore unmapped
>> sids already. I think I've tested master (4.3) against a windows 2012
>> domain a few month ago.
>> 
>> As we support full NT ACL when using the acl_xattr module
>> and we should evaluate all sids there and not filtering out
>> some before. E.g. there's a reason why these sids are added by Windows 2012.
>> And we should be able to deny access for S4U2Self tickets.
>> 
>> metze
> 



More information about the samba-technical mailing list