Reliably looking up user's group membership SIDs
Isaac Boukris
iboukris at gmail.com
Thu Mar 15 10:31:54 UTC 2018
Hi Stefan,
On Mon, Mar 12, 2018 at 9:39 PM, Stefan Metzmacher <metze at samba.org> wrote:
> Hi Issac,
>
>>> Can you follow up on that discussion with MIT and get this fixed in any
>>> of the possible ways?
>>
>>
>> Sure, I'll do a PR with your patch and reference this thread.
>> I'm not sure I could add a test in MIT, as I can't find a way to get
>> the returned pac-principal with an '@' sign.
>
> Thanks! Can you check if they need some kind of bug report
> in order to backport the fix to older releases?
Done, see:
https://github.com/krb5/krb5/pull/744
>>> In addition it would be good to get the bug in Heimdal fixed, so that
>>> we can at least have some minimal tests in Samba's autobuild.
>From packet capture, it seems Heimdal lacks the logic to locate the
user's realm but instead tries to get the ticket directly from its own
KDC (fails, with err-policy).
This logic is detailed in MS-SFU (implemented in MIT code as
s4u_identify_user()), doc:
https://msdn.microsoft.com/en-us/library/cc246102.aspx
I think one step would be to enable canonicalization flag, in
get_cred_kdc_referral() (or maybe in get_cred_kdc_capath()?).
If you got some insights on how to fix it in Heimdal, I'd love to hear.
Thanks and regards.
More information about the samba-technical
mailing list