Samba KDC support for key-based trusts and strong and weak mappings (+ further kerberos hardening)
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Tue May 27 23:34:03 UTC 2025
hi all,
We at Catalyst are likely to be working on features that allow tight
mappings between AD users and certificates. This is getting towards
"Windows Hello for Business" support, which essentially uses your laptop
as a hardware security token.
The msDS-KeyCredentialLink attribute in the AD database indicates
eligible certificates, while a "SID extension" in a certificate
indicates the user the certificate expects. We are going to work on those.
Another thing we are going to implement are the strong and weak mappings
using altSecurityIdentities to address the "Certifried" exploit. This
will matter a lot more for Samba once people start using certificates.
Also we want to add options to tighten up Kerberos security beyond that
of Microsoft AD. These are ideas that arose from the CVE cluster known
as "Andrew's Kerberos Concerns". We want to be able to force the PAC to
be sent to the target service, and to check the canonicalised usernames
against cnames. Optionally forcing the PAC will require upstream
Kerberos changes, so we'll need to see about that.
cheers,
Douglas
More information about the samba-technical
mailing list