[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Andrew Bartlett
abartlet at samba.org
Wed Apr 26 02:04:30 UTC 2023
On Tue, 2023-04-25 at 18:45 -0700, Daniel Lakeland via samba wrote:
> On 4/25/23 16:43, Andrew Bartlett wrote:
> > So I knew this would happen, sorry about that.
> >
> > When we did the big 2021 security fixes, we strictly set a line
> > between
> > 'AD has a PAC' and 'MIT Krb5 (traditional) does not'.
> >
> > This was meant to ensure that folks would not connect Samba as a
> > 'standalone' server in an AD domain, bypassing the security
> > mitigation
> > we put in place against the 'dollar ticket attack' where users
> > could
> > create an account called 'root$' but print it as 'root'.
> >
> > The problem is that subsequent to that, I saw that the MIT folks
> > decided to always issue a PAC, just without the LOGON_INFO
> > component. Samba doesn't do well with that, and a fix is needed
> > both
> > in this code an in winbindd to change the test from 'has a PAC' to
> > 'has a PAC with LOGON_INFO'.
> >
>
> Brilliant! glad you identified the problem! Is there somewhere I
> should
> file a specific bug or have you already done that?
>
> I really appreciate you looking into this and figuring out what the
> problem is.
>
> Dan
You can file a bug in bugzilla if you like. I've sent you an invite.
Then you can work on carefully building a fix, and submit it to us per
https://wiki.samba.org/index.php/Contribute
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list