Kerberos features talk at sambaxp

Stefan Metzmacher metze at samba.org
Wed May 27 19:47:21 UTC 2020


Am 27.05.20 um 21:44 schrieb Alexander Bokovoy:
> On ke, 27 touko 2020, Stefan Metzmacher via samba-technical wrote:
>> Hi Isaac,
>>
>>> Thanks for the talk was great, can't wait for the slides :)
>>
>> Thanks! I'm sorry not to finish in time:-(
>>
>> I may be able to complete the recording to the end for the archives.
>>
>> StefanMetzmacher_sambaxp2020_Modern_Kerberos-rev0-compact.pdf
>> can be found under:
>>> https://www.samba.org/~metze/presentations/2020/SambaXP/
>>
>> Also checkout the latest wireshark!
>>> I don't recall a problem with the enterprise principals in old
>>> S4U2Self padata, but I mostly test MIT client, I'll give it a try.
>>
>> I'm also not 100% sure, but I thought you told me about it:-)
>>
>> I think the difference is also the client principal in the referral
>> tickets on the way back.
> 
> As part of our work on server referrals in FreeIPA, Isaac and I made a
> tool that might be useful for these investigations:
> 
> https://pagure.io/freeipa/raw/master/f/daemons/ipa-kdb/ipa-print-pac.c
> 
> It uses GSSAPI and Samba's libndr to obtain tickets and print content of
> a PAC. Obviously, it can be extended to print more ticket details if
> needed.
> 
> It is able to acquire normal service tickets and S4U2Self ones, with
> enterprise principals or not. We use it in FreeIPA tests in-realm and
> for cross-realm operations.
> 
> To compile it on something like Fedora you can use the following line:
> 
> gcc -g -Wall -Werror -o print-pac -I/usr/include/samba-4.0 print-pac.c  -lgssapi_krb5 -lkrb5 -L/usr/lib64/samba -Wl,-rpath=/usr/lib64/samba -lndr-samba4 -lndr-krb5pac -lndr  -ltalloc -lsamba-util -lpopt
> 
> It is basically Samba libraries + Kerberos/GSSAPI + popt.
> 
> If people are interested, I can submit it to Samba upstream as well.

Isn't that what 'net ads kerberos pac dump' already does?

metze


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200527/e5b41506/signature.sig>


More information about the samba-technical mailing list