Reliably looking up user's group membership SIDs
Isaac Boukris
iboukris at gmail.com
Sat Mar 17 21:11:49 UTC 2018
On Thu, Mar 15, 2018 at 12:31 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> On Mon, Mar 12, 2018 at 9:39 PM, Stefan Metzmacher <metze at samba.org> wrote:
>>>> In addition it would be good to get the bug in Heimdal fixed, so that
>>>> we can at least have some minimal tests in Samba's autobuild.
>
> From packet capture, it seems Heimdal lacks the logic to locate the
> user's realm but instead tries to get the ticket directly from its own
> KDC (fails, with err-policy).
> This logic is detailed in MS-SFU (implemented in MIT code as
> s4u_identify_user()), doc:
> https://msdn.microsoft.com/en-us/library/cc246102.aspx
>
> I think one step would be to enable canonicalization flag, in
> get_cred_kdc_referral() (or maybe in get_cred_kdc_capath()?).
FYI, I managed to get Heimdal S4U2Self to somehow work for a user from
child domain, really just a prove-of-concept, see:
https://github.com/frenche/samba/commit/12627928829d018cd478daa91e8835d0fae5a1a2
The tricky part was, what realm to set in tgs request-body when
sending s4u request to kdc of child domain. If set to service realm
then it'd complain wrong-realm, while if set to impersonate realm
(child) then it say unknown-principal.
Then I looked at MIT code, they send the impersonate realm (kdc's)
along with the service converted to enterprise-name! so borrowed that
convert_to_enterprise() function and it worked (I wonder if it'll work
with an spn too).
More information about the samba-technical
mailing list