[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid

Andreas Schneider asn at samba.org
Fri Mar 16 10:45:32 UTC 2018


On Friday, 16 March 2018 11:27:01 CET Stefan Metzmacher wrote:
> Am 16.03.2018 um 10:59 schrieb Andreas Schneider:
> > On Friday, 16 March 2018 10:39:35 CET Stefan Metzmacher via
> > samba-technical
> > 
> > wrote:
> >> Hi,
> > 
> > Hi Metze,
> > 
> >> I recently noticed that we have fallback code that tries to build
> >> an auth_session_info from a Kerberos principal if there's no
> >> PAC present in the ticket.
> >> 
> >> I think think allowing that is completely stupid.
> >> 
> >> This can only happen if the service has UF_NO_AUTH_DATA_REQUIRED
> >> and we never set this, so we'll always get a PAC.
> >> 
> >> The attached patches let us require a valid PAC blob
> >> in side Kerberos service tickets.
> >> 
> >> Please review and push:-)
> > 
> > In the first second patch, shouldn't we do:
> > 
> > +	DATA_BLOB pac_blob = data_blob_null;
> 
> Done.
> 
> > As we pass that down by pointer I would prefer it being initialized. Also
> > talloc_free() -> TALLOC_FREE()?
> 
> I added a new patch
> "s3:gse: make use of talloc_stackframe() in gensec_gse_session_info()"
> 
> But I left gensec_gssapi_session_info() with talloc_free(),
> all other places in that function use this and it's right before
> the return.
> 
> > In the 8th patch, I would do:
> > 
> > +	struct wbcAuthUserParams params = {
> > +		.level = WBC_AUTH_USER_LEVEL_PAC,
> > +  };
> > 
> > for the init of params.
> 
> The goal was that "git show -w" gives a trivial diff,
> so I left it untouched.
> 
> A new patchset is attached.

Pushed to autobuild

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org





More information about the samba-technical mailing list