Fix smartcard offline logon and NTLM authentication

Andrew Bartlett abartlet at samba.org
Fri Jul 22 20:18:48 UTC 2016 

On Fri, 2016-07-22 at 13:13 +0200, Stefan Metzmacher wrote:
> Am 21.07.2016 um 17:49 schrieb Stefan Metzmacher:
> > Am 21.07.2016 um 12:46 schrieb Andrew Bartlett:
> > > On Wed, 2016-07-20 at 10:44 +0200, Stefan Metzmacher wrote:
> > > > Am 19.07.2016 um 21:38 schrieb Andrew Bartlett:
> > > > > On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:
> > > > > 
> > > > > > I've added more PAC tests to
> > > > > > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=r
> > > > > > efs/he
> > > > > > ads/
> > > > > > master4-smart-base
> > > > > > 
> > > > > > Some of this is already reviewed by Günther and on its way
> > > > > > to
> > > > > > master.
> > > > > > 
> > > > > > Please have a look.
> > > > > 
> > > > > Thanks. 
> > > > > 
> > > > > > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=r
> > > > > > efs/he
> > > > > > ads/
> > > > > > master4-smart-ok
> > > > > > is rebased on master4-smart-base.
> > > > > > 
> > > > > > I'm not sure what tests you see as a requirement to let
> > > > > > this
> > > > > > in...
> > > > > 
> > > > > I understand your frustration.  Hopefully the below spells it
> > > > > out a
> > > > > bit
> > > > > more clearly.
> > > > > 
> > > > > > And
> > > > > > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=r
> > > > > > efs/he
> > > > > > ads/
> > > > > > master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc
> > > > > > code.
> > > > > > 
> > > > > 
> > > > > In torture/rpc/remote_pac.c:test_PACVerify(), we need to add
> > > > > a
> > > > > runtime
> > > > > assertion of the UPN_DNS_INFO, and the PAC ordering, and
> > > > > anything
> > > > > else
> > > > > (within reason) that we can detect.  
> > > > > 
> > > > > This is because the torture/auth/pac.c code no longer runs
> > > > > the same
> > > > > PAC
> > > > > marshalling code as the KDC, because we let Heimdal do more
> > > > > of that
> > > > > now.  That is probably why those tests still pass (they
> > > > > expect a
> > > > > byte
> > > > > -for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to
> > > > > add
> > > > > UPN_DNS_INFO.
> > > > 
> > > > Done, see the master4-smart-tmp branch.
> > > > 
> > > > > Further, I would like to see that test run against the server
> > > > > using
> > > > > PKINIT credentials, and to assert the presence of the
> > > > > CREDENTIALS
> > > > > structure in the right place, and ideally decrypted.  (I will
> > > > > accept
> > > > > not decrypted however). 
> > > > > 
> > > > > That would, in my view, provide the testing needed for the
> > > > > smart
> > > > > -card
> > > > > changes.
> > > > > 
> > > > > I'll make a start on these requirements today.  As I don't
> > > > > have the
> > > > > instructions on setting up smart cards logons with AD, I may
> > > > > need
> > > > > you
> > > > > to verify the tests on Windows 2012R2 if I can't work it out.
> > > > 
> > > > The instructions I used are available at
> > > > https://www.samba.org/~metze/caps/krb5/pkinit/manage-ca/
> > > > see the comments in
> > > > https://www.samba.org/~metze/caps/krb5/pkinit/manage-ca/manage-
> > > > CA-w4e
> > > > dom-l4.base.sh
> > > > 
> > > > The manage-ca scripts are also in master:selftest/manage-ca/
> > > > You just need a .cnf and .sh file for your own domain.
> > > > 
> > > > But concentrate on getting it working in autobuild, the thing I
> > > > need
> > > > help with is the way how to do a pkinit, when given 3 files,
> > > > the ca cert, the user cert and the user private key without
> > > > passphrase,
> > > > with that information we need to kinit and the result needs to
> > > > be
> > > > in a cli_credentials structure.
> > > 
> > > Can you add a call to smbtorture rpc.remote_pac to
> > > testprogs/blackbox/test_pkinit_heimdal.sh, with the --krb5-ccache
> > > option, and --option=torture:pkinit_in_use=true.  Then detect
> > > that
> > > inside remote_pac to ensure it doens't wipe the ccache, only runs
> > > a
> > > subtest (or perhaps write a distinct test using common
> > > subroutines),
> > > and expects the right PAC?
> > > 
> > > I would love to fix this up for you, but I'm right out of time
> > > tonight!
> > 
> > Ok, master4-smart-base has the test update,
> > master4-smart-ok adds test_pkinit_pac_heimdal.sh to test it with
> > pkinit.
> > and master4-smart-tmp requires the UPN_DNS_INFO while we implement
> > it.
> > 
> > There're some unrelated patches in -base and -tmp.
> > But I think everything up to master4-smart-tmp is ready for master
> > (we just need to add review tags)
> 
> I rebased it on master4-gpgme and added a WHATNEW entry.

Reviewed and pushed to autobuild!

The only thing I missed was the session key patch, which needs to be
fixed to be info3, not info2 and is missing a signed-off-by, but that's
also RB me with that fixed up for your next push, whatever that may be.
Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list