[PATCH] skip asserted identity sids in token generation

Stefan Metzmacher metze at samba.org
Sun Jan 17 18:45:13 UTC 2016


Am 17.01.2016 um 19:40 schrieb Stefan Metzmacher:
> Hi G√ľnther,
> 
>> The S-1-18-1 (Authentication authority asserted identity) is typically
>> part of the PAC validation info3 from Windows Server 2012 and should
>> be omitted for the token calculation as it remains as an unmapped group.
> 
> I'm wondering if this is really the correct place to handle this.
> 
> Wouldn't create_local_token() be the correct place to skip this?
> That's the place where we create the unix_token. I'm
> also wondering if this isn't handled in master already.
> create_local_nt_token_from_info3() seems to ignore unmapped
> sids already. I think I've tested master (4.3) against a windows 2012
> domain a few month ago.

That's create_local_token() directly not create_local_nt_token_from_info3()

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160117/a78d4d70/signature.sig>


More information about the samba-technical mailing list