Heimdal upgrade, really happening this time
Stefan Metzmacher
metze at samba.org
Tue Jul 6 08:14:19 UTC 2021
Hi Andrew,
>> My current draft is up as a MR, and I'll continue to work to upstream
>> what I can (into Samba/Heimdal). I do plan to upgrade Heimdal again
>> (perhaps to align to a release in 2021 if they make one) before I
>> finally merge the branch.
>>
>> https://gitlab.com/samba-team/samba/-/merge_requests/2014
Also keep the following in mind when proposing upstream changes:
- (kdc outdated passwords)
https://gitlab.com/samba-team/samba/-/merge_requests/664
- S4U2Proxy requests with encrypted authorization-data are rejected by a Samba KDC
https://bugzilla.samba.org/show_bug.cgi?id=13131
- The KDC logic arround msDs-supportedEncryptionTypes differs from Windows
https://bugzilla.samba.org/show_bug.cgi?id=13135
- S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)
https://bugzilla.samba.org/show_bug.cgi?id=13137
- PKINIT fixes:
https://github.com/metze-samba/heimdal/tree/heimdal-smartcard
We most likely also need to change some apis in order to generate PAC Ticket checksums
(Wireshark support is being added by Isaac and me, see https://gitlab.com/wireshark/wireshark/-/merge_requests/3570)
and also for compound identity PACs when offering FAST.
"wip: rework PAC and AD-SIGNTICKET for S4U2Proxy support"
https://github.com/heimdal/heimdal/pull/767
might also be related here.
I'll also try to start the discussion about
GSS_KRB5_CRED_NO_TRANSIT_CHECK_X again, see
https://github.com/heimdal/heimdal/pull/656
https://github.com/krb5/krb5/pull/1005
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20210706/a7cdff6f/OpenPGP_signature.sig>
More information about the samba-technical
mailing list