Status of Kerberos Support across Samba versions
Mayers, P J
p.mayers at ic.ac.uk
Fri May 5 16:19:36 GMT 2000
As I understand is, the PAC issued by Win2K contains signed SIDs, the groups
of which the ticketholder is a member. By adding users to groups, requesting
a ticket, removing them, and requesting another ticket, it cannot be that
hard to reverse the contents.
Samba wouldn't issue the PAC anyway - it would be the KDC's job to issue the
K5 ticket with the appropriate PAC. Samba would have to *use* the PAC (this
might seem a picky distinction, but I'm coming to the point...)
So, what would not using the PAC implicate for Samba? Well, you wouldn't
know what NT groups the ticket had permissions for. If you're willing to
live with a loss of flexibility, you could do a name-based lookup (against
the ActiveDirectory, say) to get the groups.
I agree a Win2K compliant PDC would have to have a PAC-format-issuing KDC,
but I'll leave that up to the MIT or Heimdal boys. Samba can survive without
the PAC info - but K5 ticket support (instead of NTLM of whatnot) would be
nice.
Cheers,
Phil
> -----Original Message-----
> From: David Collier-Brown [SMTP:davecb at canada.sun.com]
> Sent: Friday, May 05, 2000 5:04 PM
> To: Multiple recipients of list SAMBA-TECHNICAL
> Subject: Re: Status of Kerberos Support across Samba versions
>
> "Christopher R. Hertel" wrote:
> > The "license" appears to be designed to prevent an Open Source
> > implementation. I really have no idea what they are thinking.
>
> It's is a little off-topic, and rather contentious (;-))
>
> > The real question, however, is this: What do we gain from knowing how
> > these fields are layed out? They likely contain information specific to
> > W2K. Samba jumps backwards through flaming hoops as it is trying to
> > generate valid-looking W/NT IDs.
>
> I doubt if it adds a whole lot, as we either need to develop
> the information independantly or obtain permission to
> implement from the specification.
>
> I'd be tempted to ask for the latter, as it might
> reflect very much to the credit of Microsoft to
> permit such.
>
>
> --dave (who works for the other guys, but still thinks Bill is smart)
> c-b
> --
> David Collier-Brown, | Always do right. This will gratify some people
> 185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
> Willowdale, Ontario | //www.oreilly.com/catalog/samba/author.html
> Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com
More information about the samba-technical
mailing list