Clarification on MS-PAC KERB_VALIDATION_INFO and Samba's implementation regarding UserFlags
Osipov, Michael (IN IT IN)
michael.osipov at innomotics.com
Mon Sep 30 13:49:37 UTC 2024
Hi folks,
I seek guidance from you experts on the following case whether Samba's
implementation and your understanding adheres to the specs off MS-PAC:
I have moved a server from one forest to another last weekend while the
actual users remained in the old forest. The server runs Samba 4.16 ATM,
but also also custom software written in Java utilizing the MS-PAC from
the service ticket.
While processing the PAC from one specific user the KERB_VALIDATION_INFO
failed to be parsed because ExtraSids pointer is set to NULL, but
UserFlags has flag D set. The domain controller issued that ticket is
Windows Server 2019 Standard running on
domainFunctionality/forestFunctionality 6 and
domainControllerFunctionality 7.
Now re-reading [1] it says that if flags D/H are set the appropriate
pointers must not be NULL. Something does not add up for me here.
In Samba code the NETLOGON_EXTRA_SIDS [2] is always added regardless
group_sids_to_info3() may actually not add any extra SIDs [3]. On the
contrary, this code [4] does set this flag only if any extra SIDs are
available, so does this test code [5]. Especially according to [5] my
KERB_VALIDATION_INFO case is expected to fail.
My question is now: How to properly understand the
ExtraSids/ResourceGroupDomainSid/ResourceGroupIds when those are NULL,
can the flags still be set? If those are non NULL, the flags MUST be set
for sure.
I can provide the dump and a parsed view from the dump privately before
and after the server migration.
My actual fix for the problem is here [6] and the issue for it here [7]
Best regards,
Michael
[1]
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/69e86ccc-85e3-41b9-b514-7d969cd0ed73
[2]
https://github.com/samba-team/samba/blob/f749330ddaba04cdae20570a9e842327715f3594/source3/auth/server_info.c#L613C27-L613C46
[3]
https://github.com/samba-team/samba/blob/f749330ddaba04cdae20570a9e842327715f3594/source3/auth/server_info.c#L252-L254
[4]
https://github.com/samba-team/samba/blob/f749330ddaba04cdae20570a9e842327715f3594/auth/auth_sam_reply.c#L399-L404
[5]
https://github.com/samba-team/samba/blob/f749330ddaba04cdae20570a9e842327715f3594/python/samba/tests/krb5/raw_testcase.py#L4195-L4214
[6] https://github.com/michael-o/tomcatspnegoad/pull/24
[7] https://github.com/michael-o/tomcatspnegoad/issues/23
More information about the samba-technical
mailing list