[Samba] Kerberos authentication on standalone server in MIT realm breaks after 4.11.6 -> 4.13.14 update
Ralph Boehme
slow at samba.org
Fri Nov 26 10:16:52 UTC 2021
Hello Sebastien,
On 11/26/21 10:12, Chapiron Sebastien via samba wrote:
> get_user_from_kerberos_info: Username MY.REALM\myuser is invalid on this system
> [2021/11/25 16:41:47.275194, 3, pid=162160, effective(0, 0), real(0, 0)] ../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)
This looks like a regression introduced by the recent security fixes.
The attached patch should hopefully fixes it.
Can you please give it a whirl and report back whether it fixes the
issue for you?
As a quick solution it might be possible to use the username map script
based on the example in
https://bugzilla.samba.org/show_bug.cgi?id=14901#c0.
We're not sure this behaves identical, but it might work in the
standalone server case.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
SerNet Samba Team Lead https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2020-25717-MIT-regression.patch
Type: text/x-patch
Size: 1828 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20211126/bcabd388/CVE-2020-25717-MIT-regression.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20211126/bcabd388/OpenPGP_signature.sig>
More information about the samba
mailing list