[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Fri Sep 15 08:05:05 UTC 2023
Am 15.09.23 um 10:02 schrieb Stefan Metzmacher via samba-technical:
> Am 15.09.23 um 00:31 schrieb Andrew Bartlett:
>> commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414
>> Author: Joseph Sutton<josephsutton at catalyst.net.nz>
>> Date: Mon Sep 4 13:20:34 2023 +1200
>>
>> s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request
>> I’m not sure exactly how this check was supposed to work. But in any
>> case, within fast_unwrap_request() the Heimdal KDC replaces the outer
>> padata with the padata from the inner FAST request. Hence, this check
>> does not accomplish anything useful: at no point should the KDC plugin
>> see the outer padata.
>> A couple of unwanted consequences resulted from this check. One was that
>> a client who sent empty FX‐FAST padata within the inner FAST request
>> would receive the*Authentication Authority* Asserted Identity SID
>> instead of the*Service* Asserted Identity SID. Another consequence was
>> that a client could in the same manner bypass the restriction on
>> performing S4U2Self with an RODC‐issued TGT.
>> Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
>> Heimdal plugin API gives us nothing better to work with.
>> Signed-off-by: Joseph Sutton<josephsutton at catalyst.net.nz>
>> Reviewed-by: Andrew Bartlett<abartlet at samba.org>
>
> Shouldn't we backport this?
Same for these:
commit ba1750082adf87a700711f7b99573434f50fc41b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 25 11:04:32 2023 +1200
claims.idl: Be more lenient in our expectations for the compression of claims
384 bytes is not a strict threshold below which claims are never to be
compressed. Windows has been known to compress claims a mere 368 bytes
in size.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 571ff5f31411689e9eb67ce8df837e79bb1fef2d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 25 11:01:09 2023 +1200
claims.idl: Allow empty claim value buffers
Windows doesn’t reject these, nor do we have any reason to do so.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
metze
More information about the samba-technical
mailing list