Heimdal upgrade, really happening this time
metze at samba.org
Tue Jul 6 08:14:19 UTC 2021
>> My current draft is up as a MR, and I'll continue to work to upstream
>> what I can (into Samba/Heimdal). I do plan to upgrade Heimdal again
>> (perhaps to align to a release in 2021 if they make one) before I
>> finally merge the branch.
Also keep the following in mind when proposing upstream changes:
- (kdc outdated passwords)
- S4U2Proxy requests with encrypted authorization-data are rejected by a Samba KDC
- The KDC logic arround msDs-supportedEncryptionTypes differs from Windows
- S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)
- PKINIT fixes:
We most likely also need to change some apis in order to generate PAC Ticket checksums
(Wireshark support is being added by Isaac and me, see https://gitlab.com/wireshark/wireshark/-/merge_requests/3570)
and also for compound identity PACs when offering FAST.
"wip: rework PAC and AD-SIGNTICKET for S4U2Proxy support"
might also be related here.
I'll also try to start the discussion about
GSS_KRB5_CRED_NO_TRANSIT_CHECK_X again, see
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba-technical