Fix smartcard offline logon and NTLM authentication
Andrew Bartlett
abartlet at samba.org
Sat Jul 9 03:43:53 UTC 2016
On Mon, 2016-06-27 at 19:10 +1200, Andrew Bartlett wrote:
> > > - Tests to show we fill in the PAC correctly, both in the PKINIT
> > > and
> > > not-PKINIT case (given we are adding the UPN stuff).
> > > - Confirmation that the password in the PAC is correct (as
> above).
> > >
> > > - You could pull one password with GetNCChanges REPL_OBJECT if
> you
> > > want to test the randomly generated case.
> >
> > This would require a lot of additional work, as it's currently not
> > possible
> > to get the required replykey out of existing krb5 libraries
> > in order to decrypt the PAC_CREDENTIALS blob.
>
> We already have tests for the PAC in smbtoture. Please just extend
> those.
>
> > I agree it would be nice to have tests for all this, but if they
> are
> > required to
> > get this in, it would mean these fixes for real world problems
> won't
> > make it into 4.5,
> > sorry.
>
> We need this stuff tested, and we have what is needed to start. We
> can't add a change like this to our core authorization layer without
> tests that cover it comprehensively, specifically:
> - NDR tests of saved PAC values
> - runtime tests of expected PAC values from the live KDC in each
> situation.
I would really like to break the deadlock here. Even if we can't
validate the password, presumably we can validate the presence of a
correct-length blob in the PAC.
Any quick hints on setting up the smart card stuff on Windows so I can
make a start on such a test, or at least some example PAC values I can
encode NDR tests for?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list