search for: s4u2self

...at allowed us to retrieve the user's group list via LDAP query using the server's computer account. Since the Samba update, this functionality has ceased to work. As I could see in several slides by Stefan Metzmacher, the correct way to achieve this and what would be implemented is through S4U2Self. In this approach, the server would request a Kerberos ticket from Active Directory, impersonating the user, and thus obtain the group list from the PAC. The question is, has this functionality already been implemented in Winbind? I've seen references to Samba 4.17 (I believe that was the vers...

Hi, I hit the issue described in this thread https://groups.google.com/forum/#!topic/linux.samba/VfjW9Af92Wg while testing out s4u2self and s4u2proxy in a windows service, so I wanted to share my setup. So I wrote a small windows service that's running as a local system account to impersonate an user via s4u2self (using LsaLogonUser in win32 api than calling ImpersonateLoggedOnUser) and then access a file on a shared disk. The...

Release Announcements --------------------- These are a security releases in order to address the following defect: o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum) ======= Details ======= o CVE-2018-16860: The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal. For more details and wo...

Release Announcements --------------------- These are a security releases in order to address the following defect: o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum) ======= Details ======= o CVE-2018-16860: The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal. For more details and wo...

...we will never know, I don't think we will ever see what modifications they have made to the Samba code. However, you do not seem to get the problem with a later Samba version and the SID S-1-18-1 (which is only mentioned as an 'aside' to the bug) appears to have something to do with S4U2Self and I think quite a bit of work has been done on that. It may just be that synology needs to use a later version of Samba. Rowland

Hi Matthias, On 6/30/23 15:40, Matthias Leopold via samba wrote: > Can someone explain what is happening or where I need to tune? this is by design. :) The only reliable way (lacking S4U2SELF support) to get group membership for an AD user, is using the group list the DC passes along to us as part of the authentication process. We're trying extra hard to store this data *persistently* in the SAM-logon cache and not in an easily user flushable cache. -slow -- Ralph Boehme, Sam...

...I don't > think we will ever see what modifications they have made to the Samba > code. However, you do not seem to get the problem with a later Samba > version and the SID S-1-18-1 (which is only mentioned as an 'aside' to > the bug) appears to have something to do with S4U2Self and I think > quite a bit of work has been done on that. You're right fault was the wrong word, ment more caused through their changes to Samba. > It may just be that synology needs to use a later version of Samba. As I wrote before, I have set up a member server using Samba 4.15.9 and...

...to sign response. * BUG 13667: Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR. * BUG 13677: Fix copy with vfs_fruit if AFP_AfpInfo stream file size > 60bytes. o Isaac Boukris <iboukris at gmail.com> * BUG 13571: CVE-2018-16853: Fix S4U2Self crash with MIT KDC build. o Amitay Isaacs <amitay at gmail.com> * BUG 13641: Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming. * BUG 13659: Fix bugs in CTDB event handling. o Volker Lendecke <vl at samba.org> * BUG 13465: examples: Fix t...

...to sign response. * BUG 13667: Cancelling of SMB2 aio reads and writes returns wrong error NT_STATUS_INTERNAL_ERROR. * BUG 13677: Fix copy with vfs_fruit if AFP_AfpInfo stream file size > 60bytes. o Isaac Boukris <iboukris at gmail.com> * BUG 13571: CVE-2018-16853: Fix S4U2Self crash with MIT KDC build. o Amitay Isaacs <amitay at gmail.com> * BUG 13641: Fix CTDB recovery record resurrection from inactive nodes and simplify vacuuming. * BUG 13659: Fix bugs in CTDB event handling. o Volker Lendecke <vl at samba.org> * BUG 13465: examples: Fix t...

...;> think we will ever see what modifications they have made to the Samba >> code. However, you do not seem to get the problem with a later Samba >> version and the SID S-1-18-1 (which is only mentioned as an 'aside' to >> the bug) appears to have something to do with S4U2Self and I think >> quite a bit of work has been done on that. > You're right fault was the wrong word, ment more caused through their > changes to Samba. Oh, I hate email, you never get the context across correctly. what I was trying to say was, the problem may be a Samba problem, o...

...domain): Log level 5 Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 22:00:03.656232, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ impersonating kacper_wirski at MYDOMAIN.COM.XYZ to service bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [forwardable] [2017/03/18 22:00:03.656262, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2017-03-18T21:39:30 sta...

...pper) Kerberos: TGS-REQ SQLService at AD.MYDOMAIN.COM.AU from ipv4: 172.17.1.20:61630 for SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU[canonicalize, renewable, forwardable] [2013/11/04 14:05:17.956953, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: s4u2self SQLService at AD.MYDOMAIN.COM.AU impersonating sodadm at MYDOMAIN to service SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU [2013/11/04 14:05:17.957371, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Principal may not act as server -- SQLService\@ AD.M...

...ls ======= o CVE-2019-14861: An authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name. o CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC. For more details and workarounds, please refer to the security advisories. Changes: -------- o Andrew Bartlett <abartlet at samba.org> * BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash. o Isaac Boukris <iboukris at gmail.com> * BUG 14187: CVE-2...

...ls ======= o CVE-2019-14861: An authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name. o CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC. For more details and workarounds, please refer to the security advisories. Changes: -------- o Andrew Bartlett <abartlet at samba.org> * BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash. o Isaac Boukris <iboukris at gmail.com> * BUG 14187: CVE-2...

...?? * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs. o? Joseph Sutton <josephsutton at catalyst.net.nz> ?? * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the ???? Heimdal KDC in Samba 4.19 ?? * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is ???? in use. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-t...

...?? * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs. o? Joseph Sutton <josephsutton at catalyst.net.nz> ?? * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the ???? Heimdal KDC in Samba 4.19 ?? * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is ???? in use. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-t...

...ork with --enable-pcap and libpcap ? ???? 1.9.1. o? Joseph Sutton <josephsutton at catalyst.net.nz> ?? * BUG 15476: The KDC in 4.18 (and older) is not able to accept tickets with ???? empty claims pac blobs (from Samba 4.19 or Windows). ?? * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is ???? in use. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-t...

...ork with --enable-pcap and libpcap ? ???? 1.9.1. o? Joseph Sutton <josephsutton at catalyst.net.nz> ?? * BUG 15476: The KDC in 4.18 (and older) is not able to accept tickets with ???? empty claims pac blobs (from Samba 4.19 or Windows). ?? * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is ???? in use. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-t...

...here is a wiki page about using MIT: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC This page was altered back in November and these lines about the known limitations were removed: * PKINIT support required for using smart cards * Service for User to Self-service (S4U2self) not supported * Service for User to Proxy (S4U2proxy) not supported * Computer GPO's are not applied, see [https://bugzilla.samba.org/show_bug.cgi?id=13516 Bug 13516] I am unclear about the first three, but the bug referred to in the last one is still open. Using Samba packages that us...

...we will ever see what modifications they have made to the Samba >>> code. However, you do not seem to get the problem with a later Samba >>> version and the SID S-1-18-1 (which is only mentioned as an 'aside' >>> to the bug) appears to have something to do with S4U2Self and I think >>> quite a bit of work has been done on that. >> You're right fault was the wrong word, ment more caused through their >> changes to Samba. > > Oh, I hate email, you never get the context across correctly. what I was > trying to say was, the proble...