Re: [Samba] RE: Delegation of authentication (S4U) and SAMBA

Wed, 27 Feb 2008 01:33:06 -0800

From my readings, only the Heimdahl Kerberos distribution has S4USelf support, at least in the Samba 4 code base. MIT tries to stay away from being PAC-cognizent. 


It sounds like you're trying to do something slightly different - e.g.  
Constrained Delegation, where the identity lives in the PAC, and not  
in the ticket.  There are additional security considerations which  
come into play when relying simply on the PAC, since anyone can put a  
PAC into a service ticket with a custom codebase - you can easily get  
into cases of identity theft if you also don't verify the second  
(KRBTGT HMAC of the server signature) signature in the PAC.



I can't say much more than that, unfortunately, but I wanted to point  
out the ease of escalation of privs unless the other security  
mechanisms are evaluated before trusting the PAC's principal.


Todd

On Feb 20, 2008, at 12:49 PM, Andrew Bartlett wrote:



On Tue, 2008-02-12 at 12:15 -0800, Ephi Dror wrote:

Hello,



Does samba support the use of S4U?



What do we need to configure in SAMBA or krb5 to support getting a
ticket obtained by S4U.  We are using 3.0.25 and krb5-1.4.1



We are getting the following error:




decode_pac_data: Name in PAC [EMAIL PROTECTED] 
]

does not match principal name in ticket




The ticket could be different than the PAC name because the ticket  
was

obtained using S4U extension.


As you have found out, the code does not currently allow this.

Now that we are using the PAC, it shouldn't be too hard for you to
change things so that instead of requiring the two strings does to
match, it takes the PAC in precedence (if available).

I suggest raising this on samba-technical

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Todd Stecher | Windows Interop Dev
Isilon Systems    P +1-206-315-7500     F  +1-206-315-7501
www.isilon.com    D +1-206-315-7638    M +1-425-205-1180



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to