[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid
Andreas Schneider
asn at samba.org
Fri Mar 16 09:59:08 UTC 2018
On Friday, 16 March 2018 10:39:35 CET Stefan Metzmacher via samba-technical
wrote:
> Hi,
Hi Metze,
> I recently noticed that we have fallback code that tries to build
> an auth_session_info from a Kerberos principal if there's no
> PAC present in the ticket.
>
> I think think allowing that is completely stupid.
>
> This can only happen if the service has UF_NO_AUTH_DATA_REQUIRED
> and we never set this, so we'll always get a PAC.
>
> The attached patches let us require a valid PAC blob
> in side Kerberos service tickets.
>
> Please review and push:-)
In the first second patch, shouldn't we do:
+ DATA_BLOB pac_blob = data_blob_null;
As we pass that down by pointer I would prefer it being initialized. Also
talloc_free() -> TALLOC_FREE()?
In the 8th patch, I would do:
+ struct wbcAuthUserParams params = {
+ .level = WBC_AUTH_USER_LEVEL_PAC,
+ };
for the init of params.
> In source3 we also have code that implements "map to guest = bad uid"
> and maps a kerberos authenticated user to guest.
>
> Now that we require a running winbindd on a member server,
> we should remove the "bad uid" hacks. Would anyone object
> to that? It would simplify a lot and might make it possible
> to understand all the strange code paths we have to construct
> an auth_session_info.
>
> I guess it is not needed to deprecate it first
> as this can only happen if /etc/nsswitch.conf is not configured correctly.
>
> Should I prepare patches to remove this ("bad uid")?
Yes, please. :-)
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list