Bug 13137 – S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)

Bug 13137 - S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)


Summary:	S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authti...

Status:	NEW

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB
Version:	4.7.0
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assigned To:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-11-14 15:29 UTC by Stefan Metzmacher
Modified:	2017-12-13 12:45 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Work in progress patch (1.75 KB, patch) 2017-12-13 12:45 UTC, Stefan Metzmacher	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2017-11-14 15:29:57 UTC

The ticket authtime of a Samba generated S4U2Proxy ticket and the logon_time
in the PAC_LOGON_NAME mismatch, because the ticket authtime is not taken
from the additional ticket.

Comment 1 Stefan Metzmacher 2017-12-13 12:45:11 UTC

Created attachment 13865 [details]
Work in progress patch