Fix smartcard offline logon and NTLM authentication

Andrew Bartlett abartlet at
Tue Jul 19 19:38:44 UTC 2016

On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:

> I've added more PAC tests to
> master4-smart-base
> Some of this is already reviewed by G√ľnther and on its way to master.
> Please have a look.


> master4-smart-ok
> is rebased on master4-smart-base.
> I'm not sure what tests you see as a requirement to let this in...

I understand your frustration.  Hopefully the below spells it out a bit
more clearly.

> And
> master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc code.

In torture/rpc/remote_pac.c:test_PACVerify(), we need to add a runtime
assertion of the UPN_DNS_INFO, and the PAC ordering, and anything else
(within reason) that we can detect.  

This is because the torture/auth/pac.c code no longer runs the same PAC
marshalling code as the KDC, because we let Heimdal do more of that
now.  That is probably why those tests still pass (they expect a byte
-for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to add

Further, I would like to see that test run against the server using
PKINIT credentials, and to assert the presence of the CREDENTIALS
structure in the right place, and ideally decrypted.  (I will accept
not decrypted however). 

That would, in my view, provide the testing needed for the smart-card

I'll make a start on these requirements today.  As I don't have the
instructions on setting up smart cards logons with AD, I may need you
to verify the tests on Windows 2012R2 if I can't work it out.


> ads/ws-metze-current
> is able to decrypt the PAC_CREDENTIAL_INFO blob.


Andrew Bartlett
Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list