Fix smartcard offline logon and NTLM authentication

Andrew Bartlett abartlet at samba.org
Thu Jul 21 10:46:54 UTC 2016 

On Wed, 2016-07-20 at 10:44 +0200, Stefan Metzmacher wrote:
> Am 19.07.2016 um 21:38 schrieb Andrew Bartlett:
> > On Tue, 2016-07-19 at 20:05 +0200, Stefan Metzmacher wrote:
> > 
> > > I've added more PAC tests to
> > > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/he
> > > ads/
> > > master4-smart-base
> > > 
> > > Some of this is already reviewed by Günther and on its way to
> > > master.
> > > 
> > > Please have a look.
> > 
> > Thanks. 
> > 
> > > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/he
> > > ads/
> > > master4-smart-ok
> > > is rebased on master4-smart-base.
> > > 
> > > I'm not sure what tests you see as a requirement to let this
> > > in...
> > 
> > I understand your frustration.  Hopefully the below spells it out a
> > bit
> > more clearly.
> > 
> > > And
> > > https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/he
> > > ads/
> > > master4-smart-tmp> finally adds the UPN_DNS_INFO to the kdc code.
> > > 
> > 
> > In torture/rpc/remote_pac.c:test_PACVerify(), we need to add a
> > runtime
> > assertion of the UPN_DNS_INFO, and the PAC ordering, and anything
> > else
> > (within reason) that we can detect.  
> > 
> > This is because the torture/auth/pac.c code no longer runs the same
> > PAC
> > marshalling code as the KDC, because we let Heimdal do more of that
> > now.  That is probably why those tests still pass (they expect a
> > byte
> > -for-byte Win2k3 PAC totally rebuilt!) with the KDC asked to add
> > UPN_DNS_INFO.
> 
> Done, see the master4-smart-tmp branch.
> 
> > Further, I would like to see that test run against the server using
> > PKINIT credentials, and to assert the presence of the CREDENTIALS
> > structure in the right place, and ideally decrypted.  (I will
> > accept
> > not decrypted however). 
> > 
> > That would, in my view, provide the testing needed for the smart
> > -card
> > changes.
> > 
> > I'll make a start on these requirements today.  As I don't have the
> > instructions on setting up smart cards logons with AD, I may need
> > you
> > to verify the tests on Windows 2012R2 if I can't work it out.
> 
> The instructions I used are available at
> https://www.samba.org/~metze/caps/krb5/pkinit/manage-ca/
> see the comments in
> https://www.samba.org/~metze/caps/krb5/pkinit/manage-ca/manage-CA-w4e
> dom-l4.base.sh
> 
> The manage-ca scripts are also in master:selftest/manage-ca/
> You just need a .cnf and .sh file for your own domain.
> 
> But concentrate on getting it working in autobuild, the thing I need
> help with is the way how to do a pkinit, when given 3 files,
> the ca cert, the user cert and the user private key without
> passphrase,
> with that information we need to kinit and the result needs to be
> in a cli_credentials structure.

Can you add a call to smbtorture rpc.remote_pac to
testprogs/blackbox/test_pkinit_heimdal.sh, with the --krb5-ccache
option, and --option=torture:pkinit_in_use=true.  Then detect that
inside remote_pac to ensure it doens't wipe the ccache, only runs a
subtest (or perhaps write a distinct test using common subroutines),
and expects the right PAC?

I would love to fix this up for you, but I'm right out of time tonight!

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list