Andrew Bartlett
2023-Apr-25 23:43 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On Thu, 2023-04-13 at 15:55 -0700, Daniel Lakeland via samba wrote:> Ok after installing libpam-winbind etc I had someone try to connect > from > > a MacOS and they got: > > > > > > [2023/04/13 15:50:50.002773, 1] > > ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac > ) > > auth3_generate_session_info_pac: Unexpected PAC for > > [ > testuser at OURREALM.REALM > ] in standalone mode - NT_STATUS_BAD_TOKEN_TYPESo I knew this would happen, sorry about that. When we did the big 2021 security fixes, we strictly set a line between 'AD has a PAC' and 'MIT Krb5 (traditional) does not'. This was meant to ensure that folks would not connect Samba as a 'standalone' server in an AD domain, bypassing the security mitigation we put in place against the 'dollar ticket attack' where users could create an account called 'root$' but print it as 'root'. The problem is that subsequent to that, I saw that the MIT folks decided to always issue a PAC, just without the LOGON_INFO component. Samba doesn't do well with that, and a fix is needed both in this code an in winbindd to change the test from 'has a PAC' to 'has a PAC with LOGON_INFO'. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Daniel Lakeland
2023-Apr-26 01:45 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/25/23 16:43, Andrew Bartlett wrote:> > So I knew this would happen, sorry about that. > > When we did the big 2021 security fixes, we strictly set a line between > 'AD has a PAC' and 'MIT Krb5 (traditional) does not'. > > This was meant to ensure that folks would not connect Samba as a > 'standalone' server in an AD domain, bypassing the security mitigation > we put in place against the 'dollar ticket attack' where users could > create an account called 'root$' but print it as 'root'. > > The problem is that subsequent to that, I saw that the MIT folks > decided to always issue a PAC, just without the LOGON_INFO > component. Samba doesn't do well with that, and a fix is needed both > in this code an in winbindd to change the test from 'has a PAC' to 'has a PAC with LOGON_INFO'. >Brilliant! glad you identified the problem! Is there somewhere I should file a specific bug or have you already done that? I really appreciate you looking into this and figuring out what the problem is. Dan