Status of Kerberos Support across Samba versions
Christopher R. Hertel
crh at nts.umn.edu
Fri May 5 17:18:11 GMT 2000
Point well made.
Thing is, even if Samba as a server did have the ability to read the PAC
data, what would we do with it? We would have to store and validate W2K
group IDs as well as all of the other auth information.
Also, I don't see that MIT is likely to implement the PAC. See:
http://www.networkworld.com/news/2000/0424kerberos.html
and search for the comments of Paul Hill from MIT.
Even if they did implement the PAC, what data would they include and
would a W2K client be able to use it?
Chris -)-----
> As I understand is, the PAC issued by Win2K contains signed SIDs, the groups
> of which the ticketholder is a member. By adding users to groups, requesting
> a ticket, removing them, and requesting another ticket, it cannot be that
> hard to reverse the contents.
>
> Samba wouldn't issue the PAC anyway - it would be the KDC's job to issue the
> K5 ticket with the appropriate PAC. Samba would have to *use* the PAC (this
> might seem a picky distinction, but I'm coming to the point...)
>
> So, what would not using the PAC implicate for Samba? Well, you wouldn't
> know what NT groups the ticket had permissions for. If you're willing to
> live with a loss of flexibility, you could do a name-based lookup (against
> the ActiveDirectory, say) to get the groups.
>
> I agree a Win2K compliant PDC would have to have a PAC-format-issuing KDC,
> but I'll leave that up to the MIT or Heimdal boys. Samba can survive without
> the PAC info - but K5 ticket support (instead of NTLM of whatnot) would be
> nice.
--
Christopher R. Hertel -)----- University of Minnesota
crh at nts.umn.edu Networking and Telecommunications Services
Ideals are like stars; you will not succeed in touching them
with your hands...you choose them as your guides, and following
them you will reach your destiny. --Carl Schultz
More information about the samba-technical
mailing list