[20020] in Kerberos_V5_Development
Re: The PAC must be the first ad-element
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Fri Jan 31 19:31:02 2020
MIME-Version: 1.0
In-Reply-To: <9f638130f9269056a2822380ed0ced4a58d485be.camel@samba.org>
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 1 Feb 2020 01:30:39 +0100
Message-ID: <CAC-fF8TsUTSP3cbgm1qSJ6G4T6Ww4SXRpdg4Ow7PLs9pGpFmcw@mail.gmail.com>
To: Andrew Bartlett <abartlet@samba.org>
Cc: Alexander Bokovoy <ab@samba.org>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, Jan 31, 2020 at 7:25 PM Andrew Bartlett <abartlet@samba.org> wrote:
>
> On Fri, 2020-01-31 at 13:46 +0100, Isaac Boukris wrote:
> >
> > When I recently confirmed that windows hosts have no problem with
> > other ad-elements along side the PAC, I was lazy to test change of
> > order. Today I tested it and found that Windows servers are not happy
> > when the PAC is not the first ad-if-relevant element.
>
> Also, the original Samba PAC handling code was the same way, it very
> much assumed that the PAC was the first AD-IF-RELEVANT element.
Looking at the MIT code in handle_authdata(), I wonder if
request-authdata would pose a problem, and if so what can be done
about it, I'll try to test this.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
