[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid

Andrew Bartlett abartlet at samba.org
Fri Mar 16 18:23:00 UTC 2018

On Fri, 2018-03-16 at 10:39 +0100, Stefan Metzmacher via samba-
technical wrote:
> Hi,
> I recently noticed that we have fallback code that tries to build
> an auth_session_info from a Kerberos principal if there's no
> PAC present in the ticket.
> I think think allowing that is completely stupid.
> This can only happen if the service has UF_NO_AUTH_DATA_REQUIRED
> and we never set this, so we'll always get a PAC.

Or if we are in an MIT Kerberos realm using a supplied keytab.  

Some folks do that. 

I've not had time to look at the patches, but to support that we would
allow this mode if security=user (server role=standalone), but not as a
domain member.

Sorry I can't give this a proper look today, but I'll add it (along
with the upgrade issue) to my list for Monday.


Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list