Fix smartcard offline logon and NTLM authentication

Andrew Bartlett abartlet at
Mon Jun 27 03:02:53 UTC 2016

On Mon, 2016-06-20 at 22:55 +0200, Stefan Metzmacher wrote:
> Hi,
> here're some patches to fix smartcard offline logons
> and related bugs.
> The key part is adding PAC_CREDENTIAL with the NTHASH.
> In order to avoid an NTHASH based on a password,
> I also implemented the UF_SMARTCARD_REQUIRED feature,
> that generates a random NTHASH value, that is only
> known to the KDC and the private key of the smartcard.
> I may need to add some more BUG: markers, but you can start
> with the review now:-)
> See
> master4-smart-ok
> it's based on
> master4-smart-base

G'Day metze,

I can't see any tests for the critical components of this task, that is
the changed PAC.  Can you add a test that confirms the returned PAC has
the correct password, nor that these elements are present?

I'll keep looking over the rest of the changes.  I know you mention
adding more BUG: markers, which is OK, but please don't backport these.
 Samba 4.5 is coming soon enough, and I would really prefer not to see
big backports made for pwdLastSet nor smart card login features.  

Finally, please ensure that you fix the code to pass the repl_move
test.  This is sensitive to the exact repl_meta_data behaviour, in
particular the number of password attributes with metadata, but it
seems we still don't match Windows even with your changes. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list