Bug 15249 - [SECURITY] Windows clients need to call updated NETLOGON server to verify a PAC
Summary: [SECURITY] Windows clients need to call updated NETLOGON server to verify a PAC
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.17.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jo Sutton
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 15244
  Show dependency treegraph
 
Reported: 2022-11-18 18:10 UTC by Andrew Bartlett
Modified: 2024-07-02 01:38 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Andrew Bartlett 2023-08-10 22:04:40 UTC
I've written to dochelp looking for the docs or details on any changes made here.
Comment 4 Andrew Bartlett 2024-07-02 01:38:50 UTC
It follows on from bug 15231 that the NETLOGON server validation of a PAC via SamLogonEx and NetlogonGenericInformation with package "Kerberos" will need to be extended to cover the full pac, checking the full PAC signature. 

There are now new APIs on NETLOGON that Samba should implement. 

This isn't a Samba DC side issue, it is about avoiding security issues on the Windows client.