[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid
Andrew Bartlett
abartlet at samba.org
Fri Mar 16 18:23:00 UTC 2018
On Fri, 2018-03-16 at 10:39 +0100, Stefan Metzmacher via samba-
technical wrote:
> Hi,
>
> I recently noticed that we have fallback code that tries to build
> an auth_session_info from a Kerberos principal if there's no
> PAC present in the ticket.
>
> I think think allowing that is completely stupid.
>
> This can only happen if the service has UF_NO_AUTH_DATA_REQUIRED
> and we never set this, so we'll always get a PAC.
Or if we are in an MIT Kerberos realm using a supplied keytab.
Some folks do that.
I've not had time to look at the patches, but to support that we would
allow this mode if security=user (server role=standalone), but not as a
domain member.
Sorry I can't give this a proper look today, but I'll add it (along
with the upgrade issue) to my list for Monday.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list