Fix smartcard offline logon and NTLM authentication
Andrew Bartlett
abartlet at samba.org
Mon Jun 27 03:02:53 UTC 2016
On Mon, 2016-06-20 at 22:55 +0200, Stefan Metzmacher wrote:
> Hi,
>
> here're some patches to fix smartcard offline logons
> and related bugs.
>
> The key part is adding PAC_CREDENTIAL with the NTHASH.
>
> In order to avoid an NTHASH based on a password,
> I also implemented the UF_SMARTCARD_REQUIRED feature,
> that generates a random NTHASH value, that is only
> known to the KDC and the private key of the smartcard.
>
> I may need to add some more BUG: markers, but you can start
> with the review now:-)
>
> See
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
> master4-smart-ok
> it's based on
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/
> master4-smart-base
G'Day metze,
I can't see any tests for the critical components of this task, that is
the changed PAC. Can you add a test that confirms the returned PAC has
the correct password, nor that these elements are present?
I'll keep looking over the rest of the changes. I know you mention
adding more BUG: markers, which is OK, but please don't backport these.
Samba 4.5 is coming soon enough, and I would really prefer not to see
big backports made for pwdLastSet nor smart card login features.
Finally, please ensure that you fix the code to pass the repl_move
test. This is sensitive to the exact repl_meta_data behaviour, in
particular the number of password attributes with metadata, but it
seems we still don't match Windows even with your changes.
Thanks!
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160627/0010d258/signature.sig>
More information about the samba-technical
mailing list