PATCHES: Password sync as active directory domain controller

Stefan Metzmacher metze at samba.org
Wed Jul 20 08:50:10 UTC 2016


Am 20.07.2016 um 07:01 schrieb Andrew Bartlett:
> On Wed, 2016-07-20 at 07:49 +1200, Andrew Bartlett wrote:
>> On Tue, 2016-07-19 at 13:26 +0200, Stefan Metzmacher wrote:
>>
>>> Added, my master4-gpgme branch does not conflict with master4-
>>> smart-*
>>> any more.
>>> I think it's ready to push.
>>
>> It is great to see ndr validation for 'strange'
>> supplementalCredentials blobs.  
>>
>> Can we please add some not-strange blobs while we are at
>> it?  Specifically from Windows and Samba with a GPGme password?
> 
>> I'll grab some from whatever archives I can find today, specifically
>> the saved old Samba provisions.
> 
> http://git.catalyst.net.nz/gitweb?p=samba.git;a=shortlog;h=refs/heads/m
> etze-master4-gpgme
> 
> Here you can see I've done this part.  I hope you will see from this
> work that I'm really keen to continue to work with you to get this in.

I've included this into my branches.

>> That is the only blocker I see from my side.
> 
> The next blocker is that it seems we generate a different blob to
> windows with our password_hash code.  In particular, you will see in
> those commits that the order of the Packages is different between Samba
> and Windows 2012R2.
> 
> I'm out of time for today, but we need a test added in (say) the
> samba.tests.samba_tool.user.UserCmdTestCase.set_password test that
> extracts the supplementalCredentials from the database directly, and
> then asserts on the order and any other useful details, so we lock down
> the structure we produce. 

I've added such a check.

> I'll look into that tomorrow if you don't manage to knock it up in the
> meantime.  Perhaps you can look first at why the order is different?

There's no difference.

        /*
         * The ordering is this
         *
         * Primary:Kerberos-Newer-Keys (optional)
         * Primary:Kerberos
         * Primary:WDigest
         * Primary:CLEARTEXT (optional)
         * Primary:SambaGPG (optional)
         *
         * And the 'Packages' package is inserted before the last
         * other package.
         */

I hope the master4-gpgme branch which is now based on master4-smart-base
is ready to go.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160720/4e64dff6/signature.sig>


More information about the samba-technical mailing list