Fix smartcard offline logon and NTLM authentication
abartlet at samba.org
Mon Jun 27 03:02:53 UTC 2016
On Mon, 2016-06-20 at 22:55 +0200, Stefan Metzmacher wrote:
> here're some patches to fix smartcard offline logons
> and related bugs.
> The key part is adding PAC_CREDENTIAL with the NTHASH.
> In order to avoid an NTHASH based on a password,
> I also implemented the UF_SMARTCARD_REQUIRED feature,
> that generates a random NTHASH value, that is only
> known to the KDC and the private key of the smartcard.
> I may need to add some more BUG: markers, but you can start
> with the review now:-)
> it's based on
I can't see any tests for the critical components of this task, that is
the changed PAC. Can you add a test that confirms the returned PAC has
the correct password, nor that these elements are present?
I'll keep looking over the rest of the changes. I know you mention
adding more BUG: markers, which is OK, but please don't backport these.
Samba 4.5 is coming soon enough, and I would really prefer not to see
big backports made for pwdLastSet nor smart card login features.
Finally, please ensure that you fix the code to pass the repl_move
test. This is sensitive to the exact repl_meta_data behaviour, in
particular the number of password attributes with metadata, but it
seems we still don't match Windows even with your changes.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the samba-technical