[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Fri Sep 15 08:02:47 UTC 2023
Am 15.09.23 um 00:31 schrieb Andrew Bartlett:
> commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414
> Author: Joseph Sutton<josephsutton at catalyst.net.nz>
> Date: Mon Sep 4 13:20:34 2023 +1200
>
> s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request
>
> I’m not sure exactly how this check was supposed to work. But in any
> case, within fast_unwrap_request() the Heimdal KDC replaces the outer
> padata with the padata from the inner FAST request. Hence, this check
> does not accomplish anything useful: at no point should the KDC plugin
> see the outer padata.
>
> A couple of unwanted consequences resulted from this check. One was that
> a client who sent empty FX‐FAST padata within the inner FAST request
> would receive the*Authentication Authority* Asserted Identity SID
> instead of the*Service* Asserted Identity SID. Another consequence was
> that a client could in the same manner bypass the restriction on
> performing S4U2Self with an RODC‐issued TGT.
>
> Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
> Heimdal plugin API gives us nothing better to work with.
>
> Signed-off-by: Joseph Sutton<josephsutton at catalyst.net.nz>
> Reviewed-by: Andrew Bartlett<abartlet at samba.org>
Shouldn't we backport this?
metze
More information about the samba-technical
mailing list