Status of Kerberos Support across Samba versions
Mayers, P J
p.mayers at ic.ac.uk
Fri May 5 17:35:10 GMT 2000
> I agree the MIT team aren't likely to bother, but Heimdal might.
>
> Including the right data in the PAC would require the KDC to know about NT
> groups - Samba TNG has a loopback connection feature, which might almost
> be designed for stuff like this:
>
> Connection: KDC->samba on loopback UNIX domain socket
> Query: User's NT group SIDs
> Send KDC->client (ticket with signed group data)
>
> Getting the right data to put into the PAC isn't hard, Samba can pretty
> much do that already, it's knowing what format to put it in. The clients
> will automatically use the PAC data once it's there (calling the NT
> equivalent of setgroups() with the given group data, before setuid() down
> to the user).
>
> Similarly, NT server which are passed a K ticket from the client will
> "automatically" make use of the data, applying access permissions based on
> the group SIDs in the ticket.
>
> Non-NT server can either
>
> a) Ignore the PAC, and look the groups up from some database
> b) Decode it, which requires the format.
>
> I'm proposing SMBD do the latter, which passes almost all responsibility
> for Win2K Kerb tickets onto the KDC (it's called buck passing...)
>
> NOTE - almost all - as Nicolas Williams points out, NETLOGON has to be
> able to validate a supplied K tickets' PAC signature, but I suspect some
> kind of "cache" of issued PACs could be used to do that without too much
> trouble. I hope, otherwise the problem could be harder than we think.
>
> Cheers,
> Phil
>
>
> -----Original Message-----
> From: Christopher R. Hertel [SMTP:crh at nts.umn.edu]
> Sent: Friday, May 05, 2000 6:18 PM
> To: p.mayers at ic.ac.uk
> Cc: Samba Technical
> Subject: Re: Status of Kerberos Support across Samba versions
>
> Point well made.
>
> Thing is, even if Samba as a server did have the ability to read the PAC
> data, what would we do with it? We would have to store and validate W2K
> group IDs as well as all of the other auth information.
>
> Also, I don't see that MIT is likely to implement the PAC. See:
>
> http://www.networkworld.com/news/2000/0424kerberos.html
>
> and search for the comments of Paul Hill from MIT.
>
> Even if they did implement the PAC, what data would they include and
> would a W2K client be able to use it?
>
> Chris -)-----
>
> > As I understand is, the PAC issued by Win2K contains signed SIDs, the
> groups
> > of which the ticketholder is a member. By adding users to groups,
> requesting
> > a ticket, removing them, and requesting another ticket, it cannot be
> that
> > hard to reverse the contents.
> >
> > Samba wouldn't issue the PAC anyway - it would be the KDC's job to issue
> the
> > K5 ticket with the appropriate PAC. Samba would have to *use* the PAC
> (this
> > might seem a picky distinction, but I'm coming to the point...)
> >
> > So, what would not using the PAC implicate for Samba? Well, you wouldn't
> > know what NT groups the ticket had permissions for. If you're willing to
> > live with a loss of flexibility, you could do a name-based lookup
> (against
> > the ActiveDirectory, say) to get the groups.
> >
> > I agree a Win2K compliant PDC would have to have a PAC-format-issuing
> KDC,
> > but I'll leave that up to the MIT or Heimdal boys. Samba can survive
> without
> > the PAC info - but K5 ticket support (instead of NTLM of whatnot) would
> be
> > nice.
>
> --
> Christopher R. Hertel -)----- University of Minnesota
> crh at nts.umn.edu Networking and Telecommunications Services
>
> Ideals are like stars; you will not succeed in touching them
> with your hands...you choose them as your guides, and following
> them you will reach your destiny. --Carl Schultz
More information about the samba-technical
mailing list