[PATCH] skip asserted identity sids in token generation

Stefan Metzmacher metze at samba.org
Sun Jan 17 18:40:02 UTC 2016


Hi G√ľnther,

> The S-1-18-1 (Authentication authority asserted identity) is typically
> part of the PAC validation info3 from Windows Server 2012 and should
> be omitted for the token calculation as it remains as an unmapped group.

I'm wondering if this is really the correct place to handle this.

Wouldn't create_local_token() be the correct place to skip this?
That's the place where we create the unix_token. I'm
also wondering if this isn't handled in master already.
create_local_nt_token_from_info3() seems to ignore unmapped
sids already. I think I've tested master (4.3) against a windows 2012
domain a few month ago.

As we support full NT ACL when using the acl_xattr module
and we should evaluate all sids there and not filtering out
some before. E.g. there's a reason why these sids are added by Windows 2012.
And we should be able to deny access for S4U2Self tickets.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160117/7b825832/signature.sig>


More information about the samba-technical mailing list