Fix smartcard offline logon and NTLM authentication

Stefan Metzmacher metze at samba.org
Tue Jul 19 18:05:08 UTC 2016


Am 11.07.2016 um 22:36 schrieb Stefan Metzmacher:
> Am 09.07.2016 um 05:43 schrieb Andrew Bartlett:
>> On Mon, 2016-06-27 at 19:10 +1200, Andrew Bartlett wrote:
>>>>>   - Tests to show we fill in the PAC correctly, both in the PKINIT
>>>>> and
>>>>> not-PKINIT case (given we are adding the UPN stuff).
>>>>>   - Confirmation that the password in the PAC is correct (as
>>> above).
>>>>>    
>>>>>   - You could pull one password with GetNCChanges REPL_OBJECT if
>>> you
>>>>> want to test the randomly generated case. 
>>>>  
>>>> This would require a lot of additional work, as it's currently not
>>>> possible
>>>> to get the required replykey out of existing krb5 libraries
>>>> in order to decrypt the PAC_CREDENTIALS blob.
>>>
>>> We already have tests for the PAC in smbtoture.  Please just extend
>>> those. 
>>>
>>>> I agree it would be nice to have tests for all this, but if they
>>> are
>>>> required to
>>>> get this in, it would mean these fixes for real world problems
>>> won't
>>>> make it into 4.5,
>>>> sorry.
>>>
>>> We need this stuff tested, and we have what is needed to start.  We
>>> can't add a change like this to our core authorization layer without
>>> tests that cover it comprehensively, specifically:  
>>>  - NDR tests of saved PAC values
>>>  - runtime tests of expected PAC values from the live KDC in each
>>> situation.
>>
>> I would really like to break the deadlock here.  Even if we can't
>> validate the password, presumably we can validate the presence of a
>> correct-length blob in the PAC.  
>>
>> Any quick hints on setting up the smart card stuff on Windows so I can
>> make a start on such a test, or at least some example PAC values I can
>> encode NDR tests for?
> 
> I'm hopefully get to it tomorrow.

I've added more PAC tests to
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-smart-base

Some of this is already reviewed by G√ľnther and on its way to master.

Please have a look.

https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-smart-ok
is rebased on master4-smart-base.

I'm not sure what tests you see as a requirement to let this in...

And
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-smart-tmp
finally adds the UPN_DNS_INFO to the kdc code.

https://git.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-current
is able to decrypt the PAC_CREDENTIAL_INFO blob.

Examples can be found here:
https://www.samba.org/~metze/caps/krb5/pkinit/

https://www.samba.org/~metze/caps/krb5/pkinit/w4edom-l4.base-pkinit1.keytab
can decrypt
https://www.samba.org/~metze/caps/krb5/pkinit/w4edom-l4.base-pkinit1-try05.pcap.gz

https://www.samba.org/~metze/caps/krb5/pkinit/w4edom-l4.base-pkinit1-try05-AS-PAC.dat
has the PAC from the AS-REP.
https://www.samba.org/~metze/caps/krb5/pkinit/w4edom-l4.base-pkinit1-try05-TGS-PAC.dat
has the PAC from the TGS-REP.
https://www.samba.org/~metze/caps/krb5/pkinit/w4edom-l4.base-pkinit1-try05-PAC_CREDENTIAL_INFO.dat
has the PAC_CREDENTIAL_INFO blob that is the same in AS-REP and TGS-REP.
https://www.samba.org/~metze/caps/krb5/pkinit/w4edom-l4.base-pkinit1-try05-PAC_CREDENTIALS_DATA_NDR.dat
has the PAC_CREDENTIALS_DATA_NDR blob (the decrypted value).

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160719/84609ff0/signature.sig>


More information about the samba-technical mailing list