Kerberos features talk at sambaxp
ab at samba.org
Wed May 27 19:56:31 UTC 2020
On ke, 27 touko 2020, Stefan Metzmacher wrote:
> Am 27.05.20 um 21:44 schrieb Alexander Bokovoy:
> > On ke, 27 touko 2020, Stefan Metzmacher via samba-technical wrote:
> >> Hi Isaac,
> >>> Thanks for the talk was great, can't wait for the slides :)
> >> Thanks! I'm sorry not to finish in time:-(
> >> I may be able to complete the recording to the end for the archives.
> >> StefanMetzmacher_sambaxp2020_Modern_Kerberos-rev0-compact.pdf
> >> can be found under:
> >>> https://www.samba.org/~metze/presentations/2020/SambaXP/
> >> Also checkout the latest wireshark!
> >>> I don't recall a problem with the enterprise principals in old
> >>> S4U2Self padata, but I mostly test MIT client, I'll give it a try.
> >> I'm also not 100% sure, but I thought you told me about it:-)
> >> I think the difference is also the client principal in the referral
> >> tickets on the way back.
> > As part of our work on server referrals in FreeIPA, Isaac and I made a
> > tool that might be useful for these investigations:
> > https://pagure.io/freeipa/raw/master/f/daemons/ipa-kdb/ipa-print-pac.c
> > It uses GSSAPI and Samba's libndr to obtain tickets and print content of
> > a PAC. Obviously, it can be extended to print more ticket details if
> > needed.
> > It is able to acquire normal service tickets and S4U2Self ones, with
> > enterprise principals or not. We use it in FreeIPA tests in-realm and
> > for cross-realm operations.
> > To compile it on something like Fedora you can use the following line:
> > gcc -g -Wall -Werror -o print-pac -I/usr/include/samba-4.0 print-pac.c -lgssapi_krb5 -lkrb5 -L/usr/lib64/samba -Wl,-rpath=/usr/lib64/samba -lndr-samba4 -lndr-krb5pac -lndr -ltalloc -lsamba-util -lpopt
> > It is basically Samba libraries + Kerberos/GSSAPI + popt.
> > If people are interested, I can submit it to Samba upstream as well.
> Isn't that what 'net ads kerberos pac dump' already does?
Partially. This does not require working Samba configuration on the
system which is useful if you want to test unrelated issues in a
/ Alexander Bokovoy
More information about the samba-technical