[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Andrew Bartlett abartlet at samba.org
Tue Apr 25 23:43:08 UTC 2023


On Thu, 2023-04-13 at 15:55 -0700, Daniel Lakeland via samba wrote:
> Ok after installing libpam-winbind etc I had someone try to connect
> from 
> 
> a MacOS and they got:
> 
> 
> 
> 
> 
> [2023/04/13 15:50:50.002773,  1] 
> 
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac
> )
> 
>    auth3_generate_session_info_pac: Unexpected PAC for 
> 
> [
> testuser at OURREALM.REALM
> ] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE

So I knew this would happen, sorry about that.

When we did the big 2021 security fixes, we strictly set a line between
'AD has a PAC' and 'MIT Krb5 (traditional) does not'.

This was meant to ensure that folks would not connect Samba as a
'standalone' server in an AD domain, bypassing the security mitigation
we put in place against the 'dollar ticket attack' where users could
create an account called 'root$' but print it as 'root'.

The problem is that subsequent to that, I saw that the MIT folks
decided to always issue a PAC, just without the LOGON_INFO
component.  Samba doesn't do well with that, and a fix is needed both
in this code an in winbindd to change the test from 'has a PAC' to 'has a PAC with LOGON_INFO'. 

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions






More information about the samba mailing list