Fix smartcard offline logon and NTLM authentication
metze at samba.org
Thu Jul 21 15:49:15 UTC 2016
Am 21.07.2016 um 12:46 schrieb Andrew Bartlett:
> On Wed, 2016-07-20 at 10:44 +0200, Stefan Metzmacher wrote:
>> Am 19.07.2016 um 21:38 schrieb Andrew Bartlett:
>>> On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:
>>>> I've added more PAC tests to
>>>> Some of this is already reviewed by Günther and on its way to
>>>> Please have a look.
>>>> is rebased on master4-smart-base.
>>>> I'm not sure what tests you see as a requirement to let this
>>> I understand your frustration. Hopefully the below spells it out a
>>> more clearly.
>>>> master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc code.
>>> In torture/rpc/remote_pac.c:test_PACVerify(), we need to add a
>>> assertion of the UPN_DNS_INFO, and the PAC ordering, and anything
>>> (within reason) that we can detect.
>>> This is because the torture/auth/pac.c code no longer runs the same
>>> marshalling code as the KDC, because we let Heimdal do more of that
>>> now. That is probably why those tests still pass (they expect a
>>> -for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to add
>> Done, see the master4-smart-tmp branch.
>>> Further, I would like to see that test run against the server using
>>> PKINIT credentials, and to assert the presence of the CREDENTIALS
>>> structure in the right place, and ideally decrypted. (I will
>>> not decrypted however).
>>> That would, in my view, provide the testing needed for the smart
>>> I'll make a start on these requirements today. As I don't have the
>>> instructions on setting up smart cards logons with AD, I may need
>>> to verify the tests on Windows 2012R2 if I can't work it out.
>> The instructions I used are available at
>> see the comments in
>> The manage-ca scripts are also in master:selftest/manage-ca/
>> You just need a .cnf and .sh file for your own domain.
>> But concentrate on getting it working in autobuild, the thing I need
>> help with is the way how to do a pkinit, when given 3 files,
>> the ca cert, the user cert and the user private key without
>> with that information we need to kinit and the result needs to be
>> in a cli_credentials structure.
> Can you add a call to smbtorture rpc.remote_pac to
> testprogs/blackbox/test_pkinit_heimdal.sh, with the --krb5-ccache
> option, and --option=torture:pkinit_in_use=true. Then detect that
> inside remote_pac to ensure it doens't wipe the ccache, only runs a
> subtest (or perhaps write a distinct test using common subroutines),
> and expects the right PAC?
> I would love to fix this up for you, but I'm right out of time tonight!
Ok, master4-smart-base has the test update,
master4-smart-ok adds test_pkinit_pac_heimdal.sh to test it with pkinit.
and master4-smart-tmp requires the UPN_DNS_INFO while we implement it.
There're some unrelated patches in -base and -tmp.
But I think everything up to master4-smart-tmp is ready for master
(we just need to add review tags)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical