[Samba] RE: Delegation of authentication (S4U) and SAMBA
Todd Stecher
todd.stecher at isilon.com
Wed Feb 20 21:58:19 GMT 2008
From my readings, only the Heimdahl Kerberos distribution has S4USelf
support, at least in the Samba 4 code base. MIT tries to stay away
from being PAC-cognizent.
It sounds like you're trying to do something slightly different - e.g.
Constrained Delegation, where the identity lives in the PAC, and not
in the ticket. There are additional security considerations which
come into play when relying simply on the PAC, since anyone can put a
PAC into a service ticket with a custom codebase - you can easily get
into cases of identity theft if you also don't verify the second
(KRBTGT HMAC of the server signature) signature in the PAC.
I can't say much more than that, unfortunately, but I wanted to point
out the ease of escalation of privs unless the other security
mechanisms are evaluated before trusting the PAC's principal.
Todd
On Feb 20, 2008, at 12:49 PM, Andrew Bartlett wrote:
>
> On Tue, 2008-02-12 at 12:15 -0800, Ephi Dror wrote:
>> Hello,
>>
>>
>>
>> Does samba support the use of S4U?
>>
>>
>>
>> What do we need to configure in SAMBA or krb5 to support getting a
>> ticket obtained by S4U. We are using 3.0.25 and krb5-1.4.1
>>
>>
>>
>> We are getting the following error:
>>
>>
>>
>> decode_pac_data: Name in PAC [username at something1.something2.realmname
>> ]
>> does not match principal name in ticket
>>
>>
>>
>> The ticket could be different than the PAC name because the ticket
>> was
>> obtained using S4U extension.
>
> As you have found out, the code does not currently allow this.
>
> Now that we are using the PAC, it shouldn't be too hard for you to
> change things so that instead of requiring the two strings does to
> match, it takes the PAC in precedence (if available).
>
> I suggest raising this on samba-technical
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Red Hat Inc.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
Todd Stecher | Windows Interop Dev
Isilon Systems P +1-206-315-7500 F +1-206-315-7501
www.isilon.com D +1-206-315-7638 M +1-425-205-1180
More information about the samba
mailing list