eUPN and Kerberos PAC issues
Andrew Bartlett
abartlet at samba.org
Wed Mar 11 19:03:11 MDT 2015
On Wed, 2015-03-11 at 18:18 +1300, Andrew Bartlett wrote:
> > I noticed it only because the PAC in the AS-REP and referral ticket where
> > generated by a Windows 2012R2 KDC and the samba/heimdal kdc
> > fails to verify the PAC in the TGS-REQ.
> >
> > I'll have a look at the patches later, thanks!
> >
> > metze
> >
>
> Thanks. It seems I broke samba4.local.pac, so I'll investigate that
> tomorrow if it isn't obvious to you.
This showed up that we got things wrong in our old PAC-creation code,
and made me think about UPN and samAccountName values with spaces in
them. The attached patches fixes these cases as well.
Attached is the whole series. Please review/push when you are able.
Thanks!
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-kerberos-Do-a-string-comparison-in-kerberos_dec.patch
Type: text/x-patch
Size: 2699 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-torture-krb5-Test-accepting-the-ticket-to-ensure-PAC.patch
Type: text/x-patch
Size: 7329 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-auth-kerberos-Use-KRB5_PRINCIPAL_UNPARSE_DISPLAY-in-.patch
Type: text/x-patch
Size: 1095 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-heimdal-lib-krb5-allow-enterprise-principals-in-veri.patch
Type: text/x-patch
Size: 1020 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-heimdal-lib-krb5-let-build_logon_name-use-KRB5_PRINC.patch
Type: text/x-patch
Size: 1136 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-dsdb-Allow-spaces-in-userPrincipalName-values.patch
Type: text/x-patch
Size: 1570 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-selftest-Change-testsuite-to-use-a-UPN-with-a-space-.patch
Type: text/x-patch
Size: 1910 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-kdc-Ensure-we-cope-with-a-samAccountName-with-a-spac.patch
Type: text/x-patch
Size: 2011 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0009-selftest-Change-testsuite-to-use-a-samAccountName-wi.patch
Type: text/x-patch
Size: 3451 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/d606c978/attachment.pgp>
More information about the samba-technical
mailing list