Query on commit 1bc2f28b9420829645ed571daf2a17e6688b2103
Jeremy Allison
jra at samba.org
Tue Sep 27 21:50:01 UTC 2016
Hi Christof,
I know it's a while ago, but can you explain part
of 1bc2f28b9420829645ed571daf2a17e6688b2103 to me ?
--------------------------------------------------------
Author: Christof Schmitt <christof.schmitt at us.ibm.com>
Date: Wed Jul 18 14:38:47 2012 -0700
winbind: Extend wbcAuthenticateUserEx to provide PAC
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.
The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
--------------------------------------------------------
It adds the function winbindd_pam_auth_pac_send(), which
I mostly understand, except for this part:
+ if (logon_info) {
+ /* Signature verification succeeded, trust the PAC */
+ netsamlogon_cache_store(NULL, &logon_info->info3);
+
+ } else {
+ /* Try without signature verification */
+ result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
+ NULL, NULL, NULL, 0,
+ &logon_info);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("Could not extract PAC: %s\n",
+ nt_errstr(result)));
+ return result;
+ }
+ }
It's the second clause - "Try without signature verification" that
I don't get.
Under what circumstances would a PAC fail the signature verification ?
In this case if the PAC that failed the signature verification contains
a logon_info field then we still return NT_STATUS_OK.
In this case we don't add anything into the netsamlogon_cache_store(),
so I don't think this is a security issue, but it looks strange to me.
Is this just for testing purposes ?
I'm asking as I really want to use this call to fix bug:
https://bugzilla.samba.org/show_bug.cgi?id=11259
but that part of the server winbind processing I don't
understand (yet :-).
Cheers,
Jeremy.
More information about the samba-technical
mailing list