Fix smartcard offline logon and NTLM authentication

Stefan Metzmacher metze at samba.org
Fri Jul 22 11:13:15 UTC 2016


Am 21.07.2016 um 17:49 schrieb Stefan Metzmacher:
> Am 21.07.2016 um 12:46 schrieb Andrew Bartlett:
>> On Wed, 2016-07-20 at 10:44 +0200, Stefan Metzmacher wrote:
>>> Am 19.07.2016 um 21:38 schrieb Andrew Bartlett:
>>>> On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:
>>>>
>>>>> I've added more PAC tests to
>>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/he
>>>>> ads/
>>>>> master4-smart-base
>>>>>
>>>>> Some of this is already reviewed by G√ľnther and on its way to
>>>>> master.
>>>>>
>>>>> Please have a look.
>>>>
>>>> Thanks. 
>>>>
>>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/he
>>>>> ads/
>>>>> master4-smart-ok
>>>>> is rebased on master4-smart-base.
>>>>>
>>>>> I'm not sure what tests you see as a requirement to let this
>>>>> in...
>>>>
>>>> I understand your frustration.  Hopefully the below spells it out a
>>>> bit
>>>> more clearly.
>>>>
>>>>> And
>>>>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/he
>>>>> ads/
>>>>> master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc code.
>>>>>
>>>>
>>>> In torture/rpc/remote_pac.c:test_PACVerify(), we need to add a
>>>> runtime
>>>> assertion of the UPN_DNS_INFO, and the PAC ordering, and anything
>>>> else
>>>> (within reason) that we can detect.  
>>>>
>>>> This is because the torture/auth/pac.c code no longer runs the same
>>>> PAC
>>>> marshalling code as the KDC, because we let Heimdal do more of that
>>>> now.  That is probably why those tests still pass (they expect a
>>>> byte
>>>> -for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to add
>>>> UPN_DNS_INFO.
>>>
>>> Done, see the master4-smart-tmp branch.
>>>
>>>> Further, I would like to see that test run against the server using
>>>> PKINIT credentials, and to assert the presence of the CREDENTIALS
>>>> structure in the right place, and ideally decrypted.  (I will
>>>> accept
>>>> not decrypted however). 
>>>>
>>>> That would, in my view, provide the testing needed for the smart
>>>> -card
>>>> changes.
>>>>
>>>> I'll make a start on these requirements today.  As I don't have the
>>>> instructions on setting up smart cards logons with AD, I may need
>>>> you
>>>> to verify the tests on Windows 2012R2 if I can't work it out.
>>>
>>> The instructions I used are available at
>>> https://www.samba.org/~metze/caps/krb5/pkinit/manage-ca/
>>> see the comments in
>>> https://www.samba.org/~metze/caps/krb5/pkinit/manage-ca/manage-CA-w4e
>>> dom-l4.base.sh
>>>
>>> The manage-ca scripts are also in master:selftest/manage-ca/
>>> You just need a .cnf and .sh file for your own domain.
>>>
>>> But concentrate on getting it working in autobuild, the thing I need
>>> help with is the way how to do a pkinit, when given 3 files,
>>> the ca cert, the user cert and the user private key without
>>> passphrase,
>>> with that information we need to kinit and the result needs to be
>>> in a cli_credentials structure.
>>
>> Can you add a call to smbtorture rpc.remote_pac to
>> testprogs/blackbox/test_pkinit_heimdal.sh, with the --krb5-ccache
>> option, and --option=torture:pkinit_in_use=true.  Then detect that
>> inside remote_pac to ensure it doens't wipe the ccache, only runs a
>> subtest (or perhaps write a distinct test using common subroutines),
>> and expects the right PAC?
>>
>> I would love to fix this up for you, but I'm right out of time tonight!
> 
> Ok, master4-smart-base has the test update,
> master4-smart-ok adds test_pkinit_pac_heimdal.sh to test it with pkinit.
> and master4-smart-tmp requires the UPN_DNS_INFO while we implement it.
> 
> There're some unrelated patches in -base and -tmp.
> But I think everything up to master4-smart-tmp is ready for master
> (we just need to add review tags)

I rebased it on master4-gpgme and added a WHATNEW entry.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160722/96933ef3/signature.sig>


More information about the samba-technical mailing list