Reliably looking up user's group membership SIDs

Stefan Metzmacher metze at samba.org
Mon Mar 12 11:24:27 UTC 2018


Hi Issac,

> $ git diff
> diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
> index 0eb19e6bb..38d25dc37 100644
> --- a/src/lib/krb5/krb/pac.c
> +++ b/src/lib/krb5/krb/pac.c
> @@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context,
>      krb5_ui_2 pac_princname_length;
>      int64_t pac_nt_authtime;
>      krb5_principal pac_principal;
> +    int enterprise = 0;
> 
>      ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
>                                 &client_info);
> @@ -440,8 +441,13 @@ k5_pac_validate_client(krb5_context context,
>      if (ret != 0)
>          return ret;
> 
> +    if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
> +       enterprise = 1;
> +
>      ret = krb5_parse_name_flags(context, pac_princname,
> -                                KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
> +                                KRB5_PRINCIPAL_PARSE_NO_REALM | enterprise ?
> +                                KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0,
> +                                &pac_principal);
>      if (ret != 0) {
>          free(pac_princname);
> 
> 
> With this fix, it now works ok even for a user from child domain with
> the same UPN suffix (abc).
> What do you think of this patch? Did you encounter this issue, other issues?

I prepared the attached patch (but not yet tested it).

Also see the discussion on krbdev at mit.edu.
http://mailman.mit.edu/pipermail/krbdev/2017-August/012806.html

We could also take over the logic from Heimdal.

Can you follow up on that discussion with MIT and get this fixed in any
of the possible ways?

In addition it would be good to get the bug in Heimdal fixed, so that
we can at least have some minimal tests in Samba's autobuild.

metze
-------------- next part --------------
From 5d7e24d32e247106a6e560d1ae9505a38eda129e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 16 Aug 2017 15:17:12 +0200
Subject: [PATCH] TODO test! krb5: let k5_pac_validate_client handle S4U2Self
 with enterprise principals

---
 src/lib/krb5/krb/pac.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 0eb19e6..10110b9 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -413,6 +413,8 @@ k5_pac_validate_client(krb5_context context,
     krb5_ui_2 pac_princname_length;
     int64_t pac_nt_authtime;
     krb5_principal pac_principal;
+    int parse_name_flags = 0;
+    const char *at = NULL;
 
     ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
                                &client_info);
@@ -440,8 +442,14 @@ k5_pac_validate_client(krb5_context context,
     if (ret != 0)
         return ret;
 
+    parse_name_flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
+    at = strchr(pac_princname, '@');
+    if (at != NULL) {
+        parse_name_flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+    }
+
     ret = krb5_parse_name_flags(context, pac_princname,
-                                KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
+                                parse_name_flags, &pac_principal);
     if (ret != 0) {
         free(pac_princname);
         return ret;
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180312/4b6e344f/signature.sig>


More information about the samba-technical mailing list