Query on commit 1bc2f28b9420829645ed571daf2a17e6688b2103
Christof Schmitt
cs at samba.org
Tue Sep 27 22:12:04 UTC 2016
On Tue, Sep 27, 2016 at 02:50:01PM -0700, Jeremy Allison wrote:
> Hi Christof,
>
> I know it's a while ago, but can you explain part
> of 1bc2f28b9420829645ed571daf2a17e6688b2103 to me ?
>
> --------------------------------------------------------
> Author: Christof Schmitt <christof.schmitt at us.ibm.com>
> Date: Wed Jul 18 14:38:47 2012 -0700
>
> winbind: Extend wbcAuthenticateUserEx to provide PAC
>
> With this new interface, external applications that have authenticated
> to an ADS can pass the PAC from the Kerberos ticket to
> wbcAuthenticateUserEx. winbindd decodes and extracts the info3
> information for the external application. If winbindd can verify the PAC
> signature, the info3 from the PACis also added to the netsamlogon_cache.
>
> The info3 data can be used by the external application to get the uid
> and primary gid. The data in netsamlogon_cache allows to retrieve the
> complete group list through the NSS function getgrouplist.
>
> Signed-off-by: Andrew Bartlett <abartlet at samba.org>
> --------------------------------------------------------
>
> It adds the function winbindd_pam_auth_pac_send(), which
> I mostly understand, except for this part:
>
> + if (logon_info) {
> + /* Signature verification succeeded, trust the PAC */
> + netsamlogon_cache_store(NULL, &logon_info->info3);
> +
> + } else {
> + /* Try without signature verification */
> + result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
> + NULL, NULL, NULL, 0,
> + &logon_info);
> + if (!NT_STATUS_IS_OK(result)) {
> + DEBUG(10, ("Could not extract PAC: %s\n",
> + nt_errstr(result)));
> + return result;
> + }
> + }
>
> It's the second clause - "Try without signature verification" that
> I don't get.
>
> Under what circumstances would a PAC fail the signature verification ?
> In this case if the PAC that failed the signature verification contains
> a logon_info field then we still return NT_STATUS_OK.
>
> In this case we don't add anything into the netsamlogon_cache_store(),
> so I don't think this is a security issue, but it looks strange to me.
>
> Is this just for testing purposes ?
>
> I'm asking as I really want to use this call to fix bug:
>
> https://bugzilla.samba.org/show_bug.cgi?id=11259
>
> but that part of the server winbind processing I don't
> understand (yet :-).
The whole discussion around this interface is in the thread at:
https://lists.samba.org/archive/samba-technical/2012-July/thread.html#85283
The reason for handling the failed signature validation is mentioned
here:
https://lists.samba.org/archive/samba-technical/2012-July/085713.html
The scenario here would be having winbindd running on a machine with the
keytab from the machine account, but also a different service like
Ganesha that is using a separate keytab. In this case e.g. Ganesha could
ask winbindd to decode the PAC and still get its contents, even though
winbindd does not trust the information since it was signed with a
different keytab.
I hope that this helps. One missing piece would be signalling back to
the user of the winbindd interface whether the information from the PAC
was trusted and stored in the logoncache.
Christof
More information about the samba-technical
mailing list