Bug 15249 - [SECURITY] Windows clients need to call updated NETLOGON server to verify a PAC
Summary: [SECURITY] Windows clients need to call updated NETLOGON server to verify a PAC
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.17.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jennifer Sutton
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 15244
  Show dependency treegraph
 
Reported: 2022-11-18 18:10 UTC by Andrew Bartlett
Modified: 2024-11-22 23:54 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Andrew Bartlett 2023-08-10 22:04:40 UTC
I've written to dochelp looking for the docs or details on any changes made here.
Comment 4 Andrew Bartlett 2024-07-02 01:38:50 UTC
It follows on from bug 15231 that the NETLOGON server validation of a PAC via SamLogonEx and NetlogonGenericInformation with package "Kerberos" will need to be extended to cover the full pac, checking the full PAC signature. 

There are now new APIs on NETLOGON that Samba should implement. 

This isn't a Samba DC side issue, it is about avoiding security issues on the Windows client.
Comment 5 Jennifer Sutton 2024-11-21 18:53:47 UTC
My development branch with some tests: https://gitlab.com/samba-team/devel/samba/-/commits/jsutton24/pac-verify

There is also a conversation with dochelp: https://lists.samba.org/archive/cifs-protocol/2024-August/004374.html

Some of it took place off‐list.
Comment 6 Jennifer Sutton 2024-11-21 19:00:03 UTC
Actually, more up‐to‐date tests are in this other branch: https://gitlab.com/samba-team/devel/samba/-/commits/jsutton24/gmsa-9
Comment 7 Stefan Metzmacher 2024-11-22 23:54:57 UTC
(In reply to Jennifer Sutton from comment #5)

I took some of your stuff and modified it to get useful idl
and a very basic tests that works against Windows 2022 and 2025 preview.

See https://gitlab.com/samba-team/samba/-/merge_requests/3878

Note I only tried enough to check if application level encryption
should be added to netlogon_creds_crypt_samlogon_logon and netlogon_creds_crypt_samlogon_validation, but the answer is no...