[Samba] Failing authentication when PAC present in kerberos service ticket

Ahti Seier ahti.seier at gmail.com
Thu Feb 3 12:55:45 UTC 2022


Hello,

  We have been running samba in standalone mode (security = user) with
kerberos authentication. The hosts themselves are registered to a freeIPA
domain. There is a kerberos trust set up between freeIPA and our AD. NSS is
perfectly capable of looking up both AD and freeIPA users and groups on the
hosts.

  We also have a special DNS zone for services. So samba service can be
accessed by navigating to "\\host.hostdomain" or "\\name.servicedomain".
The domain for services uses AD kerberos realm for authentication. So our
keytab contains entries for:
cifs\host.hostdomain at HOSTDOMAIN
cifs\namd.servicedomain at ADDOMAIN

  This all worked fine for years but in November it was decided that if
running in standalone mode  and if kerberos service ticket has a PAC
attached, authentication should fail.
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC
in standalone mode (2609e429) · Commits · The Samba Team / Samba · GitLab
<https://gitlab.com/samba-team/samba/-/commit/2609e4297e04c93ca5bd1466617c4536faf5be32>

  Now this configuration would no longer work for AD users as they will
have the PAC in the service ticket. For now I wrote a patch for our samba
with a configuration parameter that allows to ignore the PAC for all
connections and this allows this previous configuration to work again.

  As a long term solution I am also looking into setting up samba as a
freeIPA domain member based on this:
Support Samba file server as a domain member on IPA client — FreeIPA
4.9-dev documentation
<https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html>

  But it does not seem like a trivial task. It involves modifying tdb files
etc... Also it will need to run winbind.

  So I was wondering. What benefits will I actually get from running
winbind instead of  having NSS on the hosts resolve users and groups?

  Or am ai going about this a wrong way? Is there a better way to
authenticate AD users to a non-ad joined host?


More information about the samba mailing list