On Mon, 2007-05-14 at 19:24 -0400, Michael B Allen wrote: > On Tue, 15 May 2007 07:59:40 +1000 > Andrew Bartlett <abartlet@samba.org> wrote: > > > On Mon, 2007-05-14 at 13:34 -0400, Michael B Allen wrote: > > > This link claims MS' PAC verification can require communication with > > > the DC: > > > > > > http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx > > > > > > Is this true? If so, services will not be able to authenticate nearly > > > as fast as they otherwise could. > > > > If you think that someone else (not root) has access to the local > > kerberos keytab (or the machine account password), then that user could > > spoof their way to any (CIFS) user via the PAC, because they could make > > up a fake one. Similarly, as always with kerberos, they could change > > the principal in the ticket, etc. > > > > This can be worked around by validating the PAC to the KDC, but should > > be of concern to anyone who shares that keytab too broadly (eg with > > apache). > > > > On windows, I think a user could run a service, and unless the PAC was > > validated with the KDC, they could use their password to fake their way > > down to another more privileged user. > > Hi Andrew, > > So exploring the Apache example a little more - if Apache loaded the > keytab as root when it initialized and stored it in an in-memory only > keytab so that workers didn't really have access to it You would need to *ensure* the workers didn't have access to it. (ie, the GSSAPI authentication should go via a IPC mechanism. Perhaps to winbind?). > , the KDC checksum > wouldn't really need to be validated and no communication with the KDC > would be necessary? Correct. As we don't talk to the KDC in Samba, this is a strict requirement for a secure system. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
This is a digitally signed message part