[Samba] Obtaining Login Session for Verification

Andrew Bartlett abartlet at samba.org
Fri May 20 22:30:16 UTC 2022 

On Fri, 2022-05-20 at 10:44 -0700, Jeremy Allison via samba wrote:
> On Fri, May 20, 2022 at 11:10:50AM -0400, ralph strebbing wrote:
> > On Thu, May 19, 2022 at 5:44 PM Jeremy Allison <jra at samba.org> wrote:
> > > Can you explain what "the agent" does to authenticate ?
> > The agent is what we're building. Right now it is just pulling the
> > current username, what we want is to somehow (if possible), obtain the
> > ticket (may not be the correct term) of the currently logged in user,
> > and pass that off to Samba for verification. That's all I'm asking
> > for, or if it's possible.
> 
> This is on a Windows client, yes ? Normally this happens under
> the covers via the Windows auth subsystem (getting the service
> ticket from the KDC/AD and then passing to the Samba server).
> 
> > > I think we need more info on how the Palo Alto firewall
> > > does authentication.
> > The Palo has tons of ways to authenticate, but in this case the Palo
> > isn't doing anything, WE are doing the legwork with a custom developed
> > solution and just telling the palo via it's API, "DOMAIN\User is
> > mapped to IP". That's it on the Palo end. Our intermediate server, the
> > thing the Agent talks to, and what sends the above commands to the
> > Palo API is just ingesting the info sent from the agent, THAT is the
> > part we are trying to secure, Rather than sending the username, it
> > would be nice to send the login ticket from the agent to the
> > intermediate server, then (if possible), send a request to Samba to
> 
> That sounds like a forwardable ticket ? I don't think you want
> to send the TGT.
> 
> > verify whether the ticket sent was valid or not, and what domain user
> > it belonged to. If valid, send mapping commands, if not, do nothing.
> 
> I'm still unclear as to what types of krb5 tickets you're trying
> to do what with :-). Might make it clearer if you describe in
> terms of krb5 tickets only.

Simplest might be to write a simple web app that runs under
mod_auth_kerb.  An attacker could spoof the client IP but won't be able
to spoof the username outside the horror show that is AD Kerberos
(variations are:  UPN, username without $ and the samAccountName you
actually want, all in any case)

(This was one of the many things Samba had to work around in our recent
Nov 2021 CVE, in our case by requiring the PAC). 

By using Kerberos you know the ticket is authentic, against the keytab.

Andrew Bartlett
-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list