[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid
Stefan Metzmacher
metze at samba.org
Fri Mar 16 14:42:30 UTC 2018
Hi,
I just tested what Windows does if the PAC is missing
and it turns out it returns ACCESS_DENIED in a session setup response.
The the attached capture and keytab.
Andreas, please stop your autobuild, I guess we want to adjust the
returned error code and add some test for this using
bin/samba4kinit --no-request-pac administrator
bin/smbclient //w2012r2-183.w2012r2-l4.base/netlogon -k
vs.
bin/samba4kinit administrator
bin/smbclient //w2012r2-183.w2012r2-l4.base/netlogon -k
metze
Am 16.03.2018 um 13:35 schrieb Stefan Metzmacher via samba-technical:
> Am 16.03.2018 um 13:33 schrieb Stefan Metzmacher via samba-technical:
>> Hi Andreas,
>>
>>>> In source3 we also have code that implements "map to guest = bad uid"
>>>> and maps a kerberos authenticated user to guest.
>>>>
>>>> Now that we require a running winbindd on a member server,
>>>> we should remove the "bad uid" hacks. Would anyone object
>>>> to that? It would simplify a lot and might make it possible
>>>> to understand all the strange code paths we have to construct
>>>> an auth_session_info.
>>>>
>>>> I guess it is not needed to deprecate it first
>>>> as this can only happen if /etc/nsswitch.conf is not configured correctly.
>>>>
>>>> Should I prepare patches to remove this ("bad uid")?
>>>
>>> Yes, please. :-)
>>
>> Here're the patches on top.
>
> Sorry, here's the correct patchset...
>
> metze
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/995d54d7/signature.sig>
More information about the samba-technical
mailing list