Fix smartcard offline logon and NTLM authentication
metze at samba.org
Wed Jul 20 08:44:31 UTC 2016
Am 19.07.2016 um 21:38 schrieb Andrew Bartlett:
> On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:
>> I've added more PAC tests to
>> Some of this is already reviewed by Günther and on its way to master.
>> Please have a look.
>> is rebased on master4-smart-base.
>> I'm not sure what tests you see as a requirement to let this in...
> I understand your frustration. Hopefully the below spells it out a bit
> more clearly.
>> master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc code.
> In torture/rpc/remote_pac.c:test_PACVerify(), we need to add a runtime
> assertion of the UPN_DNS_INFO, and the PAC ordering, and anything else
> (within reason) that we can detect.
> This is because the torture/auth/pac.c code no longer runs the same PAC
> marshalling code as the KDC, because we let Heimdal do more of that
> now. That is probably why those tests still pass (they expect a byte
> -for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to add
Done, see the master4-smart-tmp branch.
> Further, I would like to see that test run against the server using
> PKINIT credentials, and to assert the presence of the CREDENTIALS
> structure in the right place, and ideally decrypted. (I will accept
> not decrypted however).
> That would, in my view, provide the testing needed for the smart-card
> I'll make a start on these requirements today. As I don't have the
> instructions on setting up smart cards logons with AD, I may need you
> to verify the tests on Windows 2012R2 if I can't work it out.
The instructions I used are available at
see the comments in
The manage-ca scripts are also in master:selftest/manage-ca/
You just need a .cnf and .sh file for your own domain.
But concentrate on getting it working in autobuild, the thing I need
help with is the way how to do a pkinit, when given 3 files,
the ca cert, the user cert and the user private key without passphrase,
with that information we need to kinit and the result needs to be
in a cli_credentials structure.
I guess we can then just pass that cli_credentials structure to
We can use cli_credentials_get_password() => NULL as indication for pkinit
and expect a PAC_CREDENTIAL_INFO element.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical