git.samba.org / lorikeet-heimdal.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fcd8e33) | patch
kdc: update PAC hooks for Samba
authorLuke Howard <lukeh@padl.com>
Tue, 14 Dec 2021 01:40:31 +0000 (12:40 +1100)
committerLuke Howard <lukeh@padl.com>
Tue, 14 Dec 2021 02:51:53 +0000 (13:51 +1100)
commit2087e07c1ef53b11163e9efdff71becdbc0212f7
treee0950706bf6f082949abc2eac18c52f6457d1972tree
parentfcd8e33a980927cdff1d564dfdb36425bbf5a846commit | diff
kdc: update PAC hooks for Samba

Samba includes the user's long-term credentials (encrypted in the AS reply key)
to allow legacy authentication protocols such as NTLM to work even if the
pre-authentication mechanism replaced the reply key (as PKINIT does).

Samba also needs to know whether the client explicitly requested a PAC be
included (or excluded), in order to defer PAC exclusion until a service ticket
is issued (thereby avoiding a name binding attack if the user is renamed
between TGT and service ticket issuance).

References:

https://bugzilla.samba.org/show_bug.cgi?id=11441
https://bugzilla.samba.org/show_bug.cgi?id=14561

Closes: #864
Original authors:
 - Joseph Sutton <josephsutton@catalyst.net.nz>
 - Andrew Bartlett <abartlet@samba.org>
 - Stefan Metzmacher <metze@samba.org>
kdc/kdc_locl.h diff | blob | history
kdc/kerberos5.c diff | blob | history
kdc/krb5tgs.c diff | blob | history
kdc/windc.c diff | blob | history
kdc/windc_plugin.h diff | blob | history
tests/plugin/windc.c diff | blob | history
Lorikeet-Heimal