Fix smartcard offline logon and NTLM authentication
Stefan Metzmacher
metze at samba.org
Mon Jul 11 20:36:31 UTC 2016
Am 09.07.2016 um 05:43 schrieb Andrew Bartlett:
> On Mon, 2016-06-27 at 19:10 +1200, Andrew Bartlett wrote:
>>>> - Tests to show we fill in the PAC correctly, both in the PKINIT
>>>> and
>>>> not-PKINIT case (given we are adding the UPN stuff).
>>>> - Confirmation that the password in the PAC is correct (as
>> above).
>>>>
>>>> - You could pull one password with GetNCChanges REPL_OBJECT if
>> you
>>>> want to test the randomly generated case.
>>>
>>> This would require a lot of additional work, as it's currently not
>>> possible
>>> to get the required replykey out of existing krb5 libraries
>>> in order to decrypt the PAC_CREDENTIALS blob.
>>
>> We already have tests for the PAC in smbtoture. Please just extend
>> those.
>>
>>> I agree it would be nice to have tests for all this, but if they
>> are
>>> required to
>>> get this in, it would mean these fixes for real world problems
>> won't
>>> make it into 4.5,
>>> sorry.
>>
>> We need this stuff tested, and we have what is needed to start. We
>> can't add a change like this to our core authorization layer without
>> tests that cover it comprehensively, specifically:
>> - NDR tests of saved PAC values
>> - runtime tests of expected PAC values from the live KDC in each
>> situation.
>
> I would really like to break the deadlock here. Even if we can't
> validate the password, presumably we can validate the presence of a
> correct-length blob in the PAC.
>
> Any quick hints on setting up the smart card stuff on Windows so I can
> make a start on such a test, or at least some example PAC values I can
> encode NDR tests for?
I'm hopefully get to it tomorrow.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160711/6ccc5013/signature.sig>
More information about the samba-technical
mailing list