[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Daniel Lakeland dlakelan at street-artists.org
Wed Apr 26 01:45:29 UTC 2023

On 4/25/23 16:43, Andrew Bartlett wrote:
> So I knew this would happen, sorry about that.
> When we did the big 2021 security fixes, we strictly set a line between
> 'AD has a PAC' and 'MIT Krb5 (traditional) does not'.
> This was meant to ensure that folks would not connect Samba as a
> 'standalone' server in an AD domain, bypassing the security mitigation
> we put in place against the 'dollar ticket attack' where users could
> create an account called 'root$' but print it as 'root'.
> The problem is that subsequent to that, I saw that the MIT folks
> decided to always issue a PAC, just without the LOGON_INFO
> component.  Samba doesn't do well with that, and a fix is needed both
> in this code an in winbindd to change the test from 'has a PAC' to 'has a PAC with LOGON_INFO'.
Brilliant! glad you identified the problem! Is there somewhere I should 
file a specific bug or have you already done that?

I really appreciate you looking into this and figuring out what the 
problem is.


More information about the samba mailing list