search for: s4u2proxy

...al. ?? * BUG 14862: MacOSX compilation fixes. o? Douglas Bagnall <douglas.bagnall at catalyst.net.nz> ?? * BUG 14868: rodc_rwdc test flaps. o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze ???? bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded ???? Heimdal. ?? * BUG 14836: Python ldb.msg_diff() memory handling failure. ?? * BUG 14845: "in" operator on ldb.Message is case sensitive. ?? * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1. ?? * BUG 14854: samldb_krbtgtnumber_av...

...al. ?? * BUG 14862: MacOSX compilation fixes. o? Douglas Bagnall <douglas.bagnall at catalyst.net.nz> ?? * BUG 14868: rodc_rwdc test flaps. o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze ???? bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded ???? Heimdal. ?? * BUG 14836: Python ldb.msg_diff() memory handling failure. ?? * BUG 14845: "in" operator on ldb.Message is case sensitive. ?? * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1. ?? * BUG 14854: samldb_krbtgtnumber_av...

...bagnall at catalyst.net.nz> ?? * BUG 14868: rodc_rwdc test flaps. ?? * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze ???? bit' S4U2Proxy Constrained Delegation bypass in Samba with ???? embedded Heimdal. ?? * BUG 14836: Python ldb.msg_diff() memory handling failure. ?? * BUG 14845: "in" operator on ldb.Message is case sensitive. ?? * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. ?? * BUG 14871: Fix Samba support for...

...bagnall at catalyst.net.nz> ?? * BUG 14868: rodc_rwdc test flaps. ?? * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze ???? bit' S4U2Proxy Constrained Delegation bypass in Samba with ???? embedded Heimdal. ?? * BUG 14836: Python ldb.msg_diff() memory handling failure. ?? * BUG 14845: "in" operator on ldb.Message is case sensitive. ?? * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. ?? * BUG 14871: Fix Samba support for...

...laps. ?? * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 14836: Python ldb.msg_diff() memory handling failure. ?? * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze ???? bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded ???? Heimdal. ?? * BUG 14845: "in" operator on ldb.Message is case sensitive. ?? * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. ?? * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. ?? * BUG 14871: Fix Samba support for UF...

...laps. ?? * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements. o? Andrew Bartlett <abartlet at samba.org> ?? * BUG 14836: Python ldb.msg_diff() memory handling failure. ?? * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze ???? bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded ???? Heimdal. ?? * BUG 14845: "in" operator on ldb.Message is case sensitive. ?? * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9. ?? * BUG 14870: Prepare to operate with MIT krb5 >= 1.20. ?? * BUG 14871: Fix Samba support for UF...

Hi, I hit the issue described in this thread https://groups.google.com/forum/#!topic/linux.samba/VfjW9Af92Wg while testing out s4u2self and s4u2proxy in a windows service, so I wanted to share my setup. So I wrote a small windows service that's running as a local system account to impersonate an user via s4u2self (using LsaLogonUser in win32 api than calling ImpersonateLoggedOnUser) and then access a file on a shared disk. The file access f...

Release Announcements --------------------- These are a security releases in order to address the following defect: o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum) ======= Details ======= o CVE-2018-16860: The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal. For more details and workarounds,...

Release Announcements --------------------- These are a security releases in order to address the following defect: o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum) ======= Details ======= o CVE-2018-16860: The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal. For more details and workarounds,...

...a.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC This page was altered back in November and these lines about the known limitations were removed: * PKINIT support required for using smart cards * Service for User to Self-service (S4U2self) not supported * Service for User to Proxy (S4U2proxy) not supported * Computer GPO's are not applied, see [https://bugzilla.samba.org/show_bug.cgi?id=13516 Bug 13516] I am unclear about the first three, but the bug referred to in the last one is still open. Using Samba packages that use MIT for a DC is experimental and isn't supported...

Am 13.01.23 um 11:31 schrieb Rowland Penny via samba: > > On 13/01/2023 09:53, Markus Dellermann via samba wrote: >> Hi Thorsten, hi Rowland, >> Just one hint from me: >> openSUSE-samba-Packages are normally mit-kerberos based. >> For DCs it could be better to use the heimdal-based >> >> There are some convenient repos on openSUSE-Build-Server.. >>

...details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ?Bronze Bit? issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. Note that samba-tool...

...details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ?Bronze Bit? issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. Note that samba-tool...

...l and krb5-server packages are required. The feature set is not on par with the Heimdal build but the most important things, like forest and external trusts, are working. Samba uses the KDC binary provided by MIT Kerberos. Missing features, compared to Heimdal, are: * PKINIT support * S4U2SELF/S4U2PROXY support * RODC support (not fully working with Heimdal either) The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a cor...

...l and krb5-server packages are required. The feature set is not on par with the Heimdal build but the most important things, like forest and external trusts, are working. Samba uses the KDC binary provided by MIT Kerberos. Missing features, compared to Heimdal, are: * PKINIT support * S4U2SELF/S4U2PROXY support * RODC support (not fully working with Heimdal either) The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a cor...

...details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ?Bronze Bit? issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. Note that samba-tool...

...details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ?Bronze Bit? issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. Note that samba-tool...

...details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ?Bronze Bit? issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. Note that samba-tool...

...details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ?Bronze Bit? issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. Note that samba-tool...

...details between KDC and KDB components. When built against MIT Kerberos, Samba AD DC supports MIT Kerberos 1.19 and 1.20 versions but 'Bronze Bit' mitigation is provided only with MIT Kerberos 1.20. In addition to fixing the ?Bronze Bit? issue, Samba AD DC now fully supports S4U2Self and S4U2Proxy Kerberos extensions. Resource Based Constrained Delegation (RBCD) support ---------------------------------------------------- Samba AD DC built with MIT Kerberos 1.20 offers RBCD support now. With MIT Kerberos 1.20 we have complete RBCD support passing Sambas S4U testsuite. Note that samba-tool...