13137 – S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)

Bug 13137 - S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)

Summary: S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authti...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.7.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:	https://gitlab.com/samba-team/samba/-...
Keywords:

Depends on:
Blocks:

Reported:	2017-11-14 15:29 UTC by Stefan Metzmacher
Modified:	2023-06-22 08:07 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Work in progress patch (1.75 KB, patch) 2017-12-13 12:45 UTC, Stefan Metzmacher	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2017-11-14 15:29:57 UTC

The ticket authtime of a Samba generated S4U2Proxy ticket and the logon_time
in the PAC_LOGON_NAME mismatch, because the ticket authtime is not taken
from the additional ticket.

Comment 1 Stefan Metzmacher 2017-12-13 12:45:11 UTC

Created attachment 13865 [details]
Work in progress patch

Comment 2 Stefan Metzmacher 2022-03-25 11:15:36 UTC

Comment on attachment 13865 [details]
Work in progress patch

The current patch is on https://gitlab.com/samba-team/samba/-/merge_requests/2458

Comment 3 Samba QA Contact 2023-06-22 00:23:12 UTC

This bug was referenced in samba master:

b26dcfba10e3e38c04f3fe20dbf49e7e6ef4f0ed

Comment 4 Stefan Metzmacher 2023-06-22 08:07:00 UTC

Will be fixed in 4.19