Fix smartcard offline logon and NTLM authentication

Andrew Bartlett abartlet at samba.org
Tue Jul 19 19:38:44 UTC 2016 

On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:

> I've added more PAC tests to
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
> master4-smart-base
> 
> Some of this is already reviewed by Günther and on its way to master.
> 
> Please have a look.

Thanks. 

> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
> master4-smart-ok
> is rebased on master4-smart-base.
> 
> I'm not sure what tests you see as a requirement to let this in...

I understand your frustration.  Hopefully the below spells it out a bit
more clearly.

> And
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
> master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc code.
> 

In torture/rpc/remote_pac.c:test_PACVerify(), we need to add a runtime
assertion of the UPN_DNS_INFO, and the PAC ordering, and anything else
(within reason) that we can detect.  

This is because the torture/auth/pac.c code no longer runs the same PAC
marshalling code as the KDC, because we let Heimdal do more of that
now.  That is probably why those tests still pass (they expect a byte
-for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to add
UPN_DNS_INFO.

Further, I would like to see that test run against the server using
PKINIT credentials, and to assert the presence of the CREDENTIALS
structure in the right place, and ideally decrypted.  (I will accept
not decrypted however). 

That would, in my view, provide the testing needed for the smart-card
changes.

I'll make a start on these requirements today.  As I don't have the
instructions on setting up smart cards logons with AD, I may need you
to verify the tests on Windows 2012R2 if I can't work it out.

> 


> https://git.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/he
> ads/ws-metze-current
> is able to decrypt the PAC_CREDENTIAL_INFO blob.

Great!

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list