Bug 14871 - UF_NO_AUTH_DATA_REQUIRED behaves incorrectly in Samba
Summary: UF_NO_AUTH_DATA_REQUIRED behaves incorrectly in Samba
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 14881
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-18 02:57 UTC by Andrew Bartlett
Modified: 2021-11-30 02:17 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-10-18 02:57:47 UTC 
UF_NO_AUTH_DATA_REQUIRED in Samba doesn't match the Windows 2019 behaviour, on a server it instead causes errors unless a PAC was requested by the client. 

Also, it is consulted on client accounts, where it should have no impact.
Comment 1 Samba QA Contact 2021-10-20 09:23:05 UTC 
This bug was referenced in samba master:

92e8ce18a79e88c9b961dc20e39436c4cf653013
031a8287642e3c4b9d0b7c6b51f3b1d79b227542
cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf
83a654a4efd39a6e792a6d49e0ecf586e9bc53ef
Comment 2 Samba QA Contact 2021-10-25 13:06:09 UTC 
This bug was referenced in samba v4-15-test:

30b2a47af03c19f24deba07472f495e1e9c7aa73
19e770f04eafa09fca583130b01e97a331dd387d
54d9b9e04062079476555823806373a0c2ad42c7
a7dcff14bdd971bd4c9e3d178de15a0d505f28d8
Comment 3 Samba QA Contact 2021-10-26 13:25:36 UTC 
This bug was referenced in samba v4-14-test:

5cdec75f8bceee0e4996682d09104ff076e241b3
2149108966f4159a218a901c19bea3921d68fa1e
d8b9907d2a78fa06a0fd944eeee4a6bdd0e02614
716b2825791f64040ad69f88c5324ae045d108f7
Comment 4 Samba QA Contact 2021-10-27 13:11:39 UTC 
This bug was referenced in samba v4-15-stable (Release samba-4.15.1):

30b2a47af03c19f24deba07472f495e1e9c7aa73
19e770f04eafa09fca583130b01e97a331dd387d
54d9b9e04062079476555823806373a0c2ad42c7
a7dcff14bdd971bd4c9e3d178de15a0d505f28d8
Comment 5 Samba QA Contact 2021-10-27 13:23:00 UTC 
This bug was referenced in samba v4-14-stable (Release samba-4.14.9):

5cdec75f8bceee0e4996682d09104ff076e241b3
2149108966f4159a218a901c19bea3921d68fa1e
d8b9907d2a78fa06a0fd944eeee4a6bdd0e02614
716b2825791f64040ad69f88c5324ae045d108f7
Comment 6 Samba QA Contact 2021-10-27 23:56:16 UTC 
This bug was referenced in samba v4-13-test:

106dc4a049265e49f5b39c0bf0dbb3793aa34a61
3eb78cd43b6feb5fdee396881ca46e84371918f3
999208d3afa8f6fcb2e20ce3dd068d5f0c48cf86
e9b12d2def935050fb8be3f1d3e0ab6713807f32
Comment 7 Samba QA Contact 2021-10-29 07:01:36 UTC 
This bug was referenced in samba v4-13-stable (Release samba-4.13.13):

106dc4a049265e49f5b39c0bf0dbb3793aa34a61
3eb78cd43b6feb5fdee396881ca46e84371918f3
999208d3afa8f6fcb2e20ce3dd068d5f0c48cf86
e9b12d2def935050fb8be3f1d3e0ab6713807f32
Comment 8 Andrew Bartlett 2021-11-30 00:56:47 UTC 
The description was incorrect.  Samba would give an error for a target service with UF_NO_AUTH_DATA_REQUIRED unless KERB-PA-PAC-REQUEST was set to FALSE in the AS-REQ.

The issue was we would return EINVAL, rather than stripping the PAC, only avoided if the PAC routines were not called at all.