[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Andrew Bartlett
abartlet at samba.org
Tue Apr 25 23:43:08 UTC 2023
On Thu, 2023-04-13 at 15:55 -0700, Daniel Lakeland via samba wrote:
> Ok after installing libpam-winbind etc I had someone try to connect
> from
>
> a MacOS and they got:
>
>
>
>
>
> [2023/04/13 15:50:50.002773, 1]
>
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac
> )
>
> auth3_generate_session_info_pac: Unexpected PAC for
>
> [
> testuser at OURREALM.REALM
> ] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
So I knew this would happen, sorry about that.
When we did the big 2021 security fixes, we strictly set a line between
'AD has a PAC' and 'MIT Krb5 (traditional) does not'.
This was meant to ensure that folks would not connect Samba as a
'standalone' server in an AD domain, bypassing the security mitigation
we put in place against the 'dollar ticket attack' where users could
create an account called 'root$' but print it as 'root'.
The problem is that subsequent to that, I saw that the MIT folks
decided to always issue a PAC, just without the LOGON_INFO
component. Samba doesn't do well with that, and a fix is needed both
in this code an in winbindd to change the test from 'has a PAC' to 'has a PAC with LOGON_INFO'.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list