[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid

Stefan Metzmacher metze at samba.org
Fri Mar 16 14:42:30 UTC 2018


I just tested what Windows does if the PAC is missing
and it turns out it returns ACCESS_DENIED in a session setup response.

The the attached capture and keytab.

Andreas, please stop your autobuild, I guess we want to adjust the
returned error code and add some test for this using

bin/samba4kinit --no-request-pac administrator
bin/smbclient //w2012r2-183.w2012r2-l4.base/netlogon -k

bin/samba4kinit administrator
bin/smbclient //w2012r2-183.w2012r2-l4.base/netlogon -k


Am 16.03.2018 um 13:35 schrieb Stefan Metzmacher via samba-technical:
> Am 16.03.2018 um 13:33 schrieb Stefan Metzmacher via samba-technical:
>> Hi Andreas,
>>>> In source3 we also have code that implements "map to guest = bad uid"
>>>> and maps a kerberos authenticated user to guest.
>>>> Now that we require a running winbindd on a member server,
>>>> we should remove the "bad uid" hacks. Would anyone object
>>>> to that? It would simplify a lot and might make it possible
>>>> to understand all the strange code paths we have to construct
>>>> an auth_session_info.
>>>> I guess it is not needed to deprecate it first
>>>> as this can only happen if /etc/nsswitch.conf is not configured correctly.
>>>> Should I prepare patches to remove this ("bad uid")?
>>> Yes, please. :-)
>> Here're the patches on top.
> Sorry, here's the correct patchset...
> metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/995d54d7/signature.sig>

More information about the samba-technical mailing list