Kerberos features talk at sambaxp
Alexander Bokovoy
ab at samba.org
Wed May 27 19:44:25 UTC 2020
On ke, 27 touko 2020, Stefan Metzmacher via samba-technical wrote:
> Hi Isaac,
>
> > Thanks for the talk was great, can't wait for the slides :)
>
> Thanks! I'm sorry not to finish in time:-(
>
> I may be able to complete the recording to the end for the archives.
>
> StefanMetzmacher_sambaxp2020_Modern_Kerberos-rev0-compact.pdf
> can be found under:
> > https://www.samba.org/~metze/presentations/2020/SambaXP/
>
> Also checkout the latest wireshark!
> > I don't recall a problem with the enterprise principals in old
> > S4U2Self padata, but I mostly test MIT client, I'll give it a try.
>
> I'm also not 100% sure, but I thought you told me about it:-)
>
> I think the difference is also the client principal in the referral
> tickets on the way back.
As part of our work on server referrals in FreeIPA, Isaac and I made a
tool that might be useful for these investigations:
https://pagure.io/freeipa/raw/master/f/daemons/ipa-kdb/ipa-print-pac.c
It uses GSSAPI and Samba's libndr to obtain tickets and print content of
a PAC. Obviously, it can be extended to print more ticket details if
needed.
It is able to acquire normal service tickets and S4U2Self ones, with
enterprise principals or not. We use it in FreeIPA tests in-realm and
for cross-realm operations.
To compile it on something like Fedora you can use the following line:
gcc -g -Wall -Werror -o print-pac -I/usr/include/samba-4.0 print-pac.c -lgssapi_krb5 -lkrb5 -L/usr/lib64/samba -Wl,-rpath=/usr/lib64/samba -lndr-samba4 -lndr-krb5pac -lndr -ltalloc -lsamba-util -lpopt
It is basically Samba libraries + Kerberos/GSSAPI + popt.
If people are interested, I can submit it to Samba upstream as well.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list