Status of Kerberos Support across Samba versions

Christopher R. Hertel crh at nts.umn.edu
Fri May 5 17:18:11 GMT 2000


Point well made.

Thing is, even if Samba as a server did have the ability to read the PAC 
data, what would we do with it?  We would have to store and validate W2K
group IDs as well as all of the other auth information.

Also, I don't see that MIT is likely to implement the PAC.  See:

  http://www.networkworld.com/news/2000/0424kerberos.html

and search for the comments of Paul Hill from MIT.

Even if they did implement the PAC, what data would they include and 
would a W2K client be able to use it?

Chris -)-----

> As I understand is, the PAC issued by Win2K contains signed SIDs, the groups
> of which the ticketholder is a member. By adding users to groups, requesting
> a ticket, removing them, and requesting another ticket, it cannot be that
> hard to reverse the contents.
> 
> Samba wouldn't issue the PAC anyway - it would be the KDC's job to issue the
> K5 ticket with the appropriate PAC. Samba would have to *use* the PAC (this
> might seem a picky distinction, but I'm coming to the point...)
> 
> So, what would not using the PAC implicate for Samba? Well, you wouldn't
> know what NT groups the ticket had permissions for. If you're willing to
> live with a loss of flexibility, you could do a name-based lookup (against
> the ActiveDirectory, say) to get the groups.
> 
> I agree a Win2K compliant PDC would have to have a PAC-format-issuing KDC,
> but I'll leave that up to the MIT or Heimdal boys. Samba can survive without
> the PAC info - but K5 ticket support (instead of NTLM of whatnot) would be
> nice.

-- 
Christopher R. Hertel -)-----                   University of Minnesota
crh at nts.umn.edu              Networking and Telecommunications Services

    Ideals are like stars; you will not succeed in touching them
    with your hands...you choose them as your guides, and following
    them you will reach your destiny.  --Carl Schultz



More information about the samba-technical mailing list