Fix smartcard offline logon and NTLM authentication

Stefan Metzmacher metze at samba.org
Wed Jul 20 08:44:31 UTC 2016


Am 19.07.2016 um 21:38 schrieb Andrew Bartlett:
> On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:
> 
>> I've added more PAC tests to
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
>> master4-smart-base
>>
>> Some of this is already reviewed by G√ľnther and on its way to master.
>>
>> Please have a look.
> 
> Thanks. 
> 
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
>> master4-smart-ok
>> is rebased on master4-smart-base.
>>
>> I'm not sure what tests you see as a requirement to let this in...
> 
> I understand your frustration.  Hopefully the below spells it out a bit
> more clearly.
> 
>> And
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
>> master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc code.
>>
> 
> In torture/rpc/remote_pac.c:test_PACVerify(), we need to add a runtime
> assertion of the UPN_DNS_INFO, and the PAC ordering, and anything else
> (within reason) that we can detect.  
> 
> This is because the torture/auth/pac.c code no longer runs the same PAC
> marshalling code as the KDC, because we let Heimdal do more of that
> now.  That is probably why those tests still pass (they expect a byte
> -for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to add
> UPN_DNS_INFO.

Done, see the master4-smart-tmp branch.

> Further, I would like to see that test run against the server using
> PKINIT credentials, and to assert the presence of the CREDENTIALS
> structure in the right place, and ideally decrypted.  (I will accept
> not decrypted however). 
> 
> That would, in my view, provide the testing needed for the smart-card
> changes.
> 
> I'll make a start on these requirements today.  As I don't have the
> instructions on setting up smart cards logons with AD, I may need you
> to verify the tests on Windows 2012R2 if I can't work it out.

The instructions I used are available at
https://www.samba.org/~metze/caps/krb5/pkinit/manage-ca/
see the comments in
https://www.samba.org/~metze/caps/krb5/pkinit/manage-ca/manage-CA-w4edom-l4.base.sh

The manage-ca scripts are also in master:selftest/manage-ca/
You just need a .cnf and .sh file for your own domain.

But concentrate on getting it working in autobuild, the thing I need
help with is the way how to do a pkinit, when given 3 files,
the ca cert, the user cert and the user private key without passphrase,
with that information we need to kinit and the result needs to be
in a cli_credentials structure.

I guess we can then just pass that cli_credentials structure to
test_PACVerify().
We can use cli_credentials_get_password() => NULL as indication for pkinit
and expect a PAC_CREDENTIAL_INFO element.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160720/4d8cb9c1/signature.sig>


More information about the samba-technical mailing list