Query on commit 1bc2f28b9420829645ed571daf2a17e6688b2103

Jeremy Allison jra at samba.org
Tue Sep 27 21:50:01 UTC 2016


Hi Christof,

I know it's a while ago, but can you explain part
of 1bc2f28b9420829645ed571daf2a17e6688b2103 to me ?

--------------------------------------------------------
Author: Christof Schmitt <christof.schmitt at us.ibm.com>
Date:   Wed Jul 18 14:38:47 2012 -0700

    winbind: Extend wbcAuthenticateUserEx to provide PAC
    
    With this new interface, external applications that have authenticated
    to an ADS can pass the PAC from the Kerberos ticket to
    wbcAuthenticateUserEx. winbindd decodes and extracts the info3
    information for the external application. If winbindd can verify the PAC
    signature, the info3 from the PACis also added to the netsamlogon_cache.
    
    The info3 data can be used by the external application to get the uid
    and primary gid. The data in netsamlogon_cache allows to retrieve the
    complete group list through the NSS function getgrouplist.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
--------------------------------------------------------

It adds the function winbindd_pam_auth_pac_send(), which
I mostly understand, except for this part:

+       if (logon_info) {
+               /* Signature verification succeeded, trust the PAC */
+               netsamlogon_cache_store(NULL, &logon_info->info3);
+
+       } else {
+               /* Try without signature verification */
+               result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
+                                                NULL, NULL, NULL, 0,
+                                                &logon_info);
+               if (!NT_STATUS_IS_OK(result)) {
+                       DEBUG(10, ("Could not extract PAC: %s\n",
+                                  nt_errstr(result)));
+                       return result;
+               }
+       }

It's the second clause - "Try without signature verification" that
I don't get.

Under what circumstances would a PAC fail the signature verification ?
In this case if the PAC that failed the signature verification contains
a logon_info field then we still return NT_STATUS_OK.

In this case we don't add anything into the netsamlogon_cache_store(),
so I don't think this is a security issue, but it looks strange to me.

Is this just for testing purposes ?

I'm asking as I really want to use this call to fix bug:

https://bugzilla.samba.org/show_bug.cgi?id=11259

but that part of the server winbind processing I don't
understand (yet :-).

Cheers,

	Jeremy.



More information about the samba-technical mailing list