[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Fri Sep 15 08:05:05 UTC 2023 

Am 15.09.23 um 10:02 schrieb Stefan Metzmacher via samba-technical:
> Am 15.09.23 um 00:31 schrieb Andrew Bartlett:
>> commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414
>> Author: Joseph Sutton<josephsutton at catalyst.net.nz>
>> Date:   Mon Sep 4 13:20:34 2023 +1200
>>
>>      s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request
>>      I’m not sure exactly how this check was supposed to work. But in any
>>      case, within fast_unwrap_request() the Heimdal KDC replaces the outer
>>      padata with the padata from the inner FAST request. Hence, this check
>>      does not accomplish anything useful: at no point should the KDC plugin
>>      see the outer padata.
>>      A couple of unwanted consequences resulted from this check. One was that
>>      a client who sent empty FX‐FAST padata within the inner FAST request
>>      would receive the*Authentication Authority*  Asserted Identity SID
>>      instead of the*Service*  Asserted Identity SID. Another consequence was
>>      that a client could in the same manner bypass the restriction on
>>      performing S4U2Self with an RODC‐issued TGT.
>>      Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
>>      Heimdal plugin API gives us nothing better to work with.
>>      Signed-off-by: Joseph Sutton<josephsutton at catalyst.net.nz>
>>      Reviewed-by: Andrew Bartlett<abartlet at samba.org>
> 
> Shouldn't we backport this?

Same for these:

commit ba1750082adf87a700711f7b99573434f50fc41b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Aug 25 11:04:32 2023 +1200

     claims.idl: Be more lenient in our expectations for the compression of claims

     384 bytes is not a strict threshold below which claims are never to be
     compressed. Windows has been known to compress claims a mere 368 bytes
     in size.

     Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
     Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 571ff5f31411689e9eb67ce8df837e79bb1fef2d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Aug 25 11:01:09 2023 +1200

     claims.idl: Allow empty claim value buffers

     Windows doesn’t reject these, nor do we have any reason to do so.

     Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
     Reviewed-by: Andrew Bartlett <abartlet at samba.org>

metze

More information about the samba-technical mailing list