Heimdal upgrade, really happening this time
Isaac Boukris
iboukris at samba.org
Thu Jul 8 03:39:59 UTC 2021
+ list
On Tue, Jul 6, 2021 at 11:14 AM Stefan Metzmacher <metze at samba.org>
wrote:
>
> We most likely also need to change some apis in order to generate PAC
Tic=
ket checksums
> (Wireshark support is being added by Isaac and me, see
https://gitlab.com=
/wireshark/wireshark/-/merge_requests/3570)
> and also for compound identity PACs when offering FAST.
> "wip: rework PAC and AD-SIGNTICKET for S4U2Proxy support"
> https://github.com/heimdal/heimdal/pull/767
> might also be related here.
I took a look at PR 767 (which is related to bug 14642), I managed to
get a poc working, that is the kdc is now able to issue a minimal PAC
with all signatures even without hdb support, this would allow the
removal of KRB5SignedPath while keeping S4U2Proxy and its upstream
test working (we don't need delegation-info for that, and we can live
on the NDR boundary), I've updated the PR. Here is an example captured
from the upstream tests:
authorization-data: 1 item
AuthorizationData item
ad-type: aD-IF-RELEVANT (1)
ad-data:
308197308194a00402020080a1818b04818804000000000000000a00000010000000480
0=E2=
=80=A6
AuthorizationData item
ad-type: aD-WIN2K-PAC (128)
ad-data:
04000000000000000a00000010000000480000000000000006000000100000005800000
0=E2=
=80=A6
Verified Server checksum 16 keytype 18 using
keytab principal host/datan.test.h5l.se at TEST.H5L.SE (id=3Dkeytab.1
same=3D0) (ce52810b...)
Verified KDC checksum 16 keytype 18 using keytab
principal krbtgt/TEST.H5L.SE at TEST.H5L.SE (id=3Dkeytab.27 same=3D0)
(ee737882...)
Verified Ticket checksum 16 keytype 18 using
keytab principal krbtgt/TEST.H5L.SE at TEST.H5L.SE (id=3Dkeytab.27
same=3D0)
(ee737882...)
Num Entries: 4
Version: 0
Type: Client Info Type (10)
Type: Server Checksum (6)
Type: Privsvr Checksum (7)
Type: Ticket Checksum (16)
I'm still confuse about how '_kdc_pac_verify()' should look like, I
think samba might be picky about the kdc_key (mostly relevant to be
able to act as a DC along other Windows DCs in the same domain),
perhaps we should split the api as it is currently overloaded imo.
More information about the samba-technical
mailing list