[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid
Andreas Schneider
asn at samba.org
Fri Mar 16 10:45:32 UTC 2018
On Friday, 16 March 2018 11:27:01 CET Stefan Metzmacher wrote:
> Am 16.03.2018 um 10:59 schrieb Andreas Schneider:
> > On Friday, 16 March 2018 10:39:35 CET Stefan Metzmacher via
> > samba-technical
> >
> > wrote:
> >> Hi,
> >
> > Hi Metze,
> >
> >> I recently noticed that we have fallback code that tries to build
> >> an auth_session_info from a Kerberos principal if there's no
> >> PAC present in the ticket.
> >>
> >> I think think allowing that is completely stupid.
> >>
> >> This can only happen if the service has UF_NO_AUTH_DATA_REQUIRED
> >> and we never set this, so we'll always get a PAC.
> >>
> >> The attached patches let us require a valid PAC blob
> >> in side Kerberos service tickets.
> >>
> >> Please review and push:-)
> >
> > In the first second patch, shouldn't we do:
> >
> > + DATA_BLOB pac_blob = data_blob_null;
>
> Done.
>
> > As we pass that down by pointer I would prefer it being initialized. Also
> > talloc_free() -> TALLOC_FREE()?
>
> I added a new patch
> "s3:gse: make use of talloc_stackframe() in gensec_gse_session_info()"
>
> But I left gensec_gssapi_session_info() with talloc_free(),
> all other places in that function use this and it's right before
> the return.
>
> > In the 8th patch, I would do:
> >
> > + struct wbcAuthUserParams params = {
> > + .level = WBC_AUTH_USER_LEVEL_PAC,
> > + };
> >
> > for the init of params.
>
> The goal was that "git show -w" gives a trivial diff,
> so I left it untouched.
>
> A new patchset is attached.
Pushed to autobuild
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list