[PATCH] pac-glue: fix delegation info blob
Isaac Boukris
iboukris at gmail.com
Wed May 29 16:03:15 UTC 2019
Hi,
Attached patch fixes the delegation-info blob to be the same as
Windows KDC returns, by adding the realm to the correct principal.
In general this blob is processed by the target server when it accepts
the delegated ticket (and I guess Windows server don't fail due to
this bug), but in my experiments with
resource-based-constrained-delegation (cross-realm S4U2Proxy, see
mit-krb5 PR #912), I found that Windows KDC also processes this blob
when in cross-realm tickets, and it would fail the request without
this patch.
I checked separately with Heimdal build to confirm I can see the same
bug using wireshark and also checked Windows behavior in traditional
constrained-delegation as well (you may find captures of S4U2Prox with
keys in wireshark's samples page).
Thoughts? Any idea how to add a test for this?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: delegation_info.patch
Type: application/octet-stream
Size: 2348 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190529/a1c7b232/delegation_info.obj>
More information about the samba-technical
mailing list