[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Andrew Bartlett abartlet at samba.org
Wed Apr 26 02:04:30 UTC 2023

On Tue, 2023-04-25 at 18:45 -0700, Daniel Lakeland via samba wrote:
> On 4/25/23 16:43, Andrew Bartlett wrote:
> > So I knew this would happen, sorry about that.
> > 
> > When we did the big 2021 security fixes, we strictly set a line
> > between
> > 'AD has a PAC' and 'MIT Krb5 (traditional) does not'.
> > 
> > This was meant to ensure that folks would not connect Samba as a
> > 'standalone' server in an AD domain, bypassing the security
> > mitigation
> > we put in place against the 'dollar ticket attack' where users
> > could
> > create an account called 'root$' but print it as 'root'.
> > 
> > The problem is that subsequent to that, I saw that the MIT folks
> > decided to always issue a PAC, just without the LOGON_INFO
> > component.  Samba doesn't do well with that, and a fix is needed
> > both
> > in this code an in winbindd to change the test from 'has a PAC' to
> > 'has a PAC with LOGON_INFO'.
> > 
> Brilliant! glad you identified the problem! Is there somewhere I
> should 
> file a specific bug or have you already done that?
> I really appreciate you looking into this and figuring out what the 
> problem is.
> Dan

You can file a bug in bugzilla if you like.   I've sent you an invite.

Then you can work on carefully building a fix, and submit it to us per 

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list