[PATCH] pac-glue: fix delegation info blob
Stefan Metzmacher
metze at samba.org
Thu May 30 07:30:50 UTC 2019
Hi Issac,
>>>>>> Attached patch fixes the delegation-info blob to be the same as
>>>>>> Windows KDC returns, by adding the realm to the correct principal.
>>>>>
>>>>> Metze points out that this bug is already logged as:
>>>>> https://bugzilla.samba.org/show_bug.cgi?id=13133
>>>>>
>>>>> And thank you for all the other hints!
This is related to the discussion here:
https://lists.samba.org/archive/samba-technical/2017-November/123755.html
>>>> Could you add the bug to the patch comment?
>>>>
>>>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133
>>>
>>> I didn't mention, but the bug has already attached the same patch
>>> essentially (without my terminology changes, but in second thought
>>> those probably belong in a separate commit).
>>
>> Yes, but Andreas is asking for the opposite, that is our practice of
>> adding BUG: ... to the commit message of every commit fixing or related
>> to a bug, so we can track in the git tree which commits fix which bugs.
>
> Sorry for being unclear, what I meant to say is that we can discard my
> patch since Metze has already made a patch, attached to this bug (with
> the bug number properly specified in the commit message).
As reference here are the open bugs:
S4U2Proxy requests with encrypted authorization-data are rejected by a
Samba KDC
https://bugzilla.samba.org/show_bug.cgi?id=13131
The content of the S4U_DELEGATION_INFO PAC element is filled wrong by a
Samba KDC
https://bugzilla.samba.org/show_bug.cgi?id=13133
Padding/alignment of PAC elements is done wrong on Samba KDCs
https://bugzilla.samba.org/show_bug.cgi?id=13134
The KDC logic arround msDs-supportedEncryptionTypes differs from Windows
https://bugzilla.samba.org/show_bug.cgi?id=13135
A Samba KDC doesn't include the RID of the primary group also in the rid
array of groups
https://bugzilla.samba.org/show_bug.cgi?id=13136
S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks
(authtime mismatch)
https://bugzilla.samba.org/show_bug.cgi?id=13137
The attempts to fix this can be found here:
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-7-s4u2proxy
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-5-s4u2proxy
> It will be a challenge to bring the fixes to our users
> as it's currently completely untested code mostly.
> ...
> I hope to find the time to create the start for low level
> kerberos tests, using pyasn1 and some python bindings for
> the krb5_crypto_* apis. Then we're hopefully be able to
> build something similar to the dcerpc raw protocol tests.
Sadly I never found the time to make any progress on the tests...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190530/e432e41b/signature.sig>
More information about the samba-technical
mailing list