[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid
Stefan Metzmacher
metze at samba.org
Fri Mar 16 14:49:53 UTC 2018
Am 16.03.2018 um 15:42 schrieb Stefan Metzmacher via samba-technical:
> Hi,
>
> I just tested what Windows does if the PAC is missing
> and it turns out it returns ACCESS_DENIED in a session setup response.
>
> The the attached capture and keytab.
Sorry, here're the attachments.
This is from:
$ bin/samba4kinit --no-request-pac administrator
administrator at W2012R2-L4.BASE's Password:
$ bin/smbclient //w2012r2-183.w2012r2-l4.base/netlogon -k -c quit
session setup failed: NT_STATUS_ACCESS_DENIED
$ bin/samba4kinit administrator
administrator at W2012R2-L4.BASE's Password:
$ bin/smbclient //w2012r2-183.w2012r2-l4.base/netlogon -k -c quit
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2012r2-l4.base-w2012r2-183-krb5-no-pac-smb2-fail-01.pcap.gz
Type: application/gzip
Size: 15250 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/758d7d0a/w2012r2-l4.base-w2012r2-183-krb5-no-pac-smb2-fail-01.pcap.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2012r2-l4.base-w2012r2-183-krb5-no-pac-smb2-fail-01.keytab
Type: application/octet-stream
Size: 61694 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/758d7d0a/w2012r2-l4.base-w2012r2-183-krb5-no-pac-smb2-fail-01.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/758d7d0a/signature.sig>
More information about the samba-technical
mailing list