Bug 13137 - S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)
Summary: S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authti...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.7.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/-...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-14 15:29 UTC by Stefan Metzmacher
Modified: 2023-06-22 08:07 UTC (History)
4 users (show)

See Also:


Attachments
Work in progress patch (1.75 KB, patch)
2017-12-13 12:45 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-11-14 15:29:57 UTC
The ticket authtime of a Samba generated S4U2Proxy ticket and the logon_time
in the PAC_LOGON_NAME mismatch, because the ticket authtime is not taken
from the additional ticket.
Comment 1 Stefan Metzmacher 2017-12-13 12:45:11 UTC
Created attachment 13865 [details]
Work in progress patch
Comment 2 Stefan Metzmacher 2022-03-25 11:15:36 UTC
Comment on attachment 13865 [details]
Work in progress patch

The current patch is on https://gitlab.com/samba-team/samba/-/merge_requests/2458
Comment 3 Samba QA Contact 2023-06-22 00:23:12 UTC
This bug was referenced in samba master:

b26dcfba10e3e38c04f3fe20dbf49e7e6ef4f0ed
Comment 4 Stefan Metzmacher 2023-06-22 08:07:00 UTC
Will be fixed in 4.19