Displaying 20 results from an estimated 59 matches for "s4u2self".
2023 Nov 07
0
Use of S4U2Self in Winbind in a forest trust - obtaining group list
...at allowed us to retrieve the user's group list via LDAP query using the server's computer account. Since the Samba update, this functionality has ceased to work.
As I could see in several slides by Stefan Metzmacher, the correct way to achieve this and what would be implemented is through S4U2Self. In this approach, the server would request a Kerberos ticket from Active Directory, impersonating the user, and thus obtain the group list from the PAC.
The question is, has this functionality already been implemented in Winbind? I've seen references to Samba 4.17 (I believe that was the vers...
2017 May 25
0
Windows 2012 s4u2self followed by s4u2proxy fails against samba
Hi,
I hit the issue described in this thread
https://groups.google.com/forum/#!topic/linux.samba/VfjW9Af92Wg while
testing out s4u2self and s4u2proxy in a windows service, so I wanted
to share my setup.
So I wrote a small windows service that's running as a local system
account to impersonate an user via s4u2self (using LsaLogonUser in
win32 api than calling ImpersonateLoggedOnUser) and then access a file
on a shared disk. The...
2019 May 14
0
[Announce] Samba 4.10.3, 4.9.8 and 4.8.12 Security Releases Available
Release Announcements
---------------------
These are a security releases in order to address the following defect:
o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
=======
Details
=======
o CVE-2018-16860:
The checksum validation in the S4U2Self handler in the embedded Heimdal KDC
did not first confirm that the checksum was keyed, allowing replacement of
the requested target (client) principal.
For more details and wo...
2019 May 14
0
[Announce] Samba 4.10.3, 4.9.8 and 4.8.12 Security Releases Available
Release Announcements
---------------------
These are a security releases in order to address the following defect:
o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
=======
Details
=======
o CVE-2018-16860:
The checksum validation in the S4U2Self handler in the embedded Heimdal KDC
did not first confirm that the checksum was keyed, allowing replacement of
the requested target (client) principal.
For more details and wo...
2023 Jun 20
1
Synology shares not accessible...
...we will never know, I don't
think we will ever see what modifications they have made to the Samba
code. However, you do not seem to get the problem with a later Samba
version and the SID S-1-18-1 (which is only mentioned as an 'aside' to
the bug) appears to have something to do with S4U2Self and I think quite
a bit of work has been done on that.
It may just be that synology needs to use a later version of Samba.
Rowland
2023 Jun 30
1
Group memberships on Linux AD Member (syncing randomly)
Hi Matthias,
On 6/30/23 15:40, Matthias Leopold via samba wrote:
> Can someone explain what is happening or where I need to tune?
this is by design. :)
The only reliable way (lacking S4U2SELF support) to get group membership
for an AD user, is using the group list the DC passes along to us as
part of the authentication process.
We're trying extra hard to store this data *persistently* in the
SAM-logon cache and not in an easily user flushable cache.
-slow
--
Ralph Boehme, Sam...
2023 Jun 20
1
Synology shares not accessible...
...I don't
> think we will ever see what modifications they have made to the Samba
> code. However, you do not seem to get the problem with a later Samba
> version and the SID S-1-18-1 (which is only mentioned as an 'aside' to
> the bug) appears to have something to do with S4U2Self and I think
> quite a bit of work has been done on that.
You're right fault was the wrong word, ment more caused through their
changes to Samba.
> It may just be that synology needs to use a later version of Samba.
As I wrote before, I have set up a member server using Samba 4.15.9 and...
2018 Dec 13
0
[Announce] Samba 4.8.8 Available for Download
...to sign response.
* BUG 13667: Cancelling of SMB2 aio reads and writes returns wrong error
NT_STATUS_INTERNAL_ERROR.
* BUG 13677: Fix copy with vfs_fruit if AFP_AfpInfo stream file
size > 60bytes.
o Isaac Boukris <iboukris at gmail.com>
* BUG 13571: CVE-2018-16853: Fix S4U2Self crash with MIT KDC build.
o Amitay Isaacs <amitay at gmail.com>
* BUG 13641: Fix CTDB recovery record resurrection from inactive nodes and
simplify vacuuming.
* BUG 13659: Fix bugs in CTDB event handling.
o Volker Lendecke <vl at samba.org>
* BUG 13465: examples: Fix t...
2018 Dec 13
0
[Samba] [Announce] Samba 4.8.8 Available for Download
...to sign response.
* BUG 13667: Cancelling of SMB2 aio reads and writes returns wrong error
NT_STATUS_INTERNAL_ERROR.
* BUG 13677: Fix copy with vfs_fruit if AFP_AfpInfo stream file
size > 60bytes.
o Isaac Boukris <iboukris at gmail.com>
* BUG 13571: CVE-2018-16853: Fix S4U2Self crash with MIT KDC build.
o Amitay Isaacs <amitay at gmail.com>
* BUG 13641: Fix CTDB recovery record resurrection from inactive nodes and
simplify vacuuming.
* BUG 13659: Fix bugs in CTDB event handling.
o Volker Lendecke <vl at samba.org>
* BUG 13465: examples: Fix t...
2023 Jun 20
1
Synology shares not accessible...
...;> think we will ever see what modifications they have made to the Samba
>> code. However, you do not seem to get the problem with a later Samba
>> version and the SID S-1-18-1 (which is only mentioned as an 'aside' to
>> the bug) appears to have something to do with S4U2Self and I think
>> quite a bit of work has been done on that.
> You're right fault was the wrong word, ment more caused through their
> changes to Samba.
Oh, I hate email, you never get the context across correctly. what I was
trying to say was, the problem may be a Samba problem, o...
2017 Mar 18
0
kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
...domain):
Log level 5
Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from
ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ
[canonicalize, renewable, forwardable]
[2017/03/18 22:00:03.656232, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ impersonating
kacper_wirski at MYDOMAIN.COM.XYZ to service
bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [forwardable]
[2017/03/18 22:00:03.656262, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2017-03-18T21:39:30 sta...
2024 May 02
1
Group Membership Retrieval not using kerberos authentication
...ieve the user's group list.
Previously, Winbind could accomplish this through an LDAP query using the server's machine account, but it seems that functionality has been removed.
>From what I've read in some technical presentations about Samba, the correct approach is to do this using S4U2Self, so that the machine or service obtains a Kerberos ticket on behalf of the user to retrieve the list of groups to which the user belongs.
I'm unaware if this functionality is fully developed and if so, from which version of Samba. If it is, I would be very grateful if someone could assist me in...
2013 Nov 04
1
Running SQL Server xp_logininfo with Samba PDC
...pper)
Kerberos: TGS-REQ SQLService at AD.MYDOMAIN.COM.AU from ipv4:
172.17.1.20:61630 for
SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU[canonicalize,
renewable, forwardable]
[2013/11/04 14:05:17.956953, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: s4u2self SQLService at AD.MYDOMAIN.COM.AU impersonating
sodadm at MYDOMAIN to service SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU
[2013/11/04 14:05:17.957371, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Principal may not act as server -- SQLService\@
AD.M...
2019 Dec 10
0
[Announce] Samba 4.11.3, 4.10.11 and 4.9.17 Security Releases Available
...ls
=======
o CVE-2019-14861:
An authenticated user can crash the DCE/RPC DNS management server by creating
records with matching the zone name.
o CVE-2019-14870:
The DelegationNotAllowed Kerberos feature restriction was not being applied
when processing protocol transition requests (S4U2Self), in the AD DC KDC.
For more details and workarounds, please refer to the security advisories.
Changes:
--------
o Andrew Bartlett <abartlet at samba.org>
* BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash.
o Isaac Boukris <iboukris at gmail.com>
* BUG 14187: CVE-2...
2019 Dec 10
0
[Announce] Samba 4.11.3, 4.10.11 and 4.9.17 Security Releases Available
...ls
=======
o CVE-2019-14861:
An authenticated user can crash the DCE/RPC DNS management server by creating
records with matching the zone name.
o CVE-2019-14870:
The DelegationNotAllowed Kerberos feature restriction was not being applied
when processing protocol transition requests (S4U2Self), in the AD DC KDC.
For more details and workarounds, please refer to the security advisories.
Changes:
--------
o Andrew Bartlett <abartlet at samba.org>
* BUG 14138: CVE-2019-14861: Fix DNSServer RPC server crash.
o Isaac Boukris <iboukris at gmail.com>
* BUG 14187: CVE-2...
2023 Oct 16
0
[Announce] Samba 4.19.2 Available for Download
...?? * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
o? Joseph Sutton <josephsutton at catalyst.net.nz>
?? * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness
tokens in the
???? Heimdal KDC in Samba 4.19
?? * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when
fast is
???? in use.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-t...
2023 Oct 16
0
[Announce] Samba 4.19.2 Available for Download
...?? * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
o? Joseph Sutton <josephsutton at catalyst.net.nz>
?? * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness
tokens in the
???? Heimdal KDC in Samba 4.19
?? * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when
fast is
???? in use.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-t...
2023 Sep 27
0
[Announce] Samba 4.18.7 Available for Download
...ork with --enable-pcap and libpcap ?
???? 1.9.1.
o? Joseph Sutton <josephsutton at catalyst.net.nz>
?? * BUG 15476: The KDC in 4.18 (and older) is not able to accept
tickets with
???? empty claims pac blobs (from Samba 4.19 or Windows).
?? * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when
fast is
???? in use.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-t...
2023 Sep 27
0
[Announce] Samba 4.18.7 Available for Download
...ork with --enable-pcap and libpcap ?
???? 1.9.1.
o? Joseph Sutton <josephsutton at catalyst.net.nz>
?? * BUG 15476: The KDC in 4.18 (and older) is not able to accept
tickets with
???? empty claims pac blobs (from Samba 4.19 or Windows).
?? * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when
fast is
???? in use.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-t...
2023 Jan 13
1
problems with sysvol after fsmo transfer
...here is a wiki page about using MIT:
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
This page was altered back in November and these lines about the known
limitations were removed:
* PKINIT support required for using smart cards
* Service for User to Self-service (S4U2self) not supported
* Service for User to Proxy (S4U2proxy) not supported
* Computer GPO's are not applied, see
[https://bugzilla.samba.org/show_bug.cgi?id=13516 Bug 13516]
I am unclear about the first three, but the bug referred to in the last
one is still open.
Using Samba packages that us...