[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid

Andreas Schneider asn at samba.org
Fri Mar 16 09:59:08 UTC 2018

On Friday, 16 March 2018 10:39:35 CET Stefan Metzmacher via samba-technical 
> Hi,

Hi Metze,

> I recently noticed that we have fallback code that tries to build
> an auth_session_info from a Kerberos principal if there's no
> PAC present in the ticket.
> I think think allowing that is completely stupid.
> This can only happen if the service has UF_NO_AUTH_DATA_REQUIRED
> and we never set this, so we'll always get a PAC.
> The attached patches let us require a valid PAC blob
> in side Kerberos service tickets.
> Please review and push:-)

In the first second patch, shouldn't we do:

+	DATA_BLOB pac_blob = data_blob_null;

As we pass that down by pointer I would prefer it being initialized. Also 
talloc_free() -> TALLOC_FREE()?

In the 8th patch, I would do:

+	struct wbcAuthUserParams params = {
+  };

for the init of params.

> In source3 we also have code that implements "map to guest = bad uid"
> and maps a kerberos authenticated user to guest.
> Now that we require a running winbindd on a member server,
> we should remove the "bad uid" hacks. Would anyone object
> to that? It would simplify a lot and might make it possible
> to understand all the strange code paths we have to construct
> an auth_session_info.
> I guess it is not needed to deprecate it first
> as this can only happen if /etc/nsswitch.conf is not configured correctly.
> Should I prepare patches to remove this ("bad uid")?

Yes, please. :-)


Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list