Status of Kerberos Support across Samba versions

Mayers, P J p.mayers at ic.ac.uk
Fri May 5 17:35:10 GMT 2000 

> I agree the MIT team aren't likely to bother, but Heimdal might.
> 
> Including the right data in the PAC would require the KDC to know about NT
> groups - Samba TNG has a loopback connection feature, which might almost
> be designed for stuff like this:
> 
> Connection: KDC->samba on loopback UNIX domain socket
> Query: User's NT group SIDs
> Send KDC->client (ticket with signed group data)
> 
> Getting the right data to put into the PAC isn't hard, Samba can pretty
> much do that already, it's knowing what format to put it in. The clients
> will automatically use the PAC data once it's there (calling the NT
> equivalent of setgroups() with the given group data, before setuid() down
> to the user).
> 
> Similarly, NT server which are passed a K ticket from the client will
> "automatically" make use of the data, applying access permissions based on
> the group SIDs in the ticket.
> 
> Non-NT server can either
> 
> a) Ignore the PAC, and look the groups up from some database
> b) Decode it, which requires the format.
> 
> I'm proposing SMBD do the latter, which passes almost all responsibility
> for Win2K Kerb tickets onto the KDC (it's called buck passing...)
> 
> NOTE - almost all - as Nicolas Williams points out, NETLOGON has to be
> able to validate a supplied K tickets' PAC signature, but I suspect some
> kind of "cache" of issued PACs could be used to do that without too much
> trouble. I hope, otherwise the problem could be harder than we think. 
> 
> Cheers,
> Phil
> 
> 
> -----Original Message-----
> From:	Christopher R. Hertel [SMTP:crh at nts.umn.edu]
> Sent:	Friday, May 05, 2000 6:18 PM
> To:	p.mayers at ic.ac.uk
> Cc:	Samba Technical
> Subject:	Re: Status of Kerberos Support across Samba versions
> 
> Point well made.
> 
> Thing is, even if Samba as a server did have the ability to read the PAC
> data, what would we do with it?  We would have to store and validate W2K
> group IDs as well as all of the other auth information.
> 
> Also, I don't see that MIT is likely to implement the PAC.  See:
> 
>   http://www.networkworld.com/news/2000/0424kerberos.html
> 
> and search for the comments of Paul Hill from MIT.
> 
> Even if they did implement the PAC, what data would they include and 
> would a W2K client be able to use it?
> 
> Chris -)-----
> 
> > As I understand is, the PAC issued by Win2K contains signed SIDs, the
> groups
> > of which the ticketholder is a member. By adding users to groups,
> requesting
> > a ticket, removing them, and requesting another ticket, it cannot be
> that
> > hard to reverse the contents.
> > 
> > Samba wouldn't issue the PAC anyway - it would be the KDC's job to issue
> the
> > K5 ticket with the appropriate PAC. Samba would have to *use* the PAC
> (this
> > might seem a picky distinction, but I'm coming to the point...)
> > 
> > So, what would not using the PAC implicate for Samba? Well, you wouldn't
> > know what NT groups the ticket had permissions for. If you're willing to
> > live with a loss of flexibility, you could do a name-based lookup
> (against
> > the ActiveDirectory, say) to get the groups.
> > 
> > I agree a Win2K compliant PDC would have to have a PAC-format-issuing
> KDC,
> > but I'll leave that up to the MIT or Heimdal boys. Samba can survive
> without
> > the PAC info - but K5 ticket support (instead of NTLM of whatnot) would
> be
> > nice.
> 
> -- 
> Christopher R. Hertel -)-----                   University of Minnesota
> crh at nts.umn.edu              Networking and Telecommunications Services
> 
>     Ideals are like stars; you will not succeed in touching them
>     with your hands...you choose them as your guides, and following
>     them you will reach your destiny.  --Carl Schultz

More information about the samba-technical mailing list