Status of Kerberos Support across Samba versions

Nicolas Williams willian at
Fri May 5 18:14:46 GMT 2000

[I couldn't tell if p.mayers at was forwarding someone else's post
 or accidentally quoted his post. I'm assuming the latter.]

On Sat May 06 2000, Mayers, P J (p.mayers at wrote:
> I agree the MIT team aren't likely to bother, but Heimdal might. 

I bet that the MIT team is likely to bother implementing an open
standard. The existing standard has to be clarified and an open
replacement for MS's PAC scheme ought to be considered.

> Including the right data in the PAC would require the KDC to know about NT 
> groups - Samba TNG has a loopback connection feature, which might almost 
> be designed for stuff like this: 
> Connection: KDC->samba on loopback UNIX domain socket 
> Query: User's NT group SIDs 
> Send KDC->client (ticket with signed group data) 
> Getting the right data to put into the PAC isn't hard, Samba can pretty 
> much do that already, it's knowing what format to put it in. The clients 
> will automatically use the PAC data once it's there (calling the NT 
> equivalent of setgroups() with the given group data, before setuid() down 
> to the user). 

So far so good. You'll also need an LDAP server using a schema similar
to the one MS uses.

> Similarly, NT server which are passed a K ticket from the client will 
> "automatically" make use of the data, applying access permissions based on 
> the group SIDs in the ticket. 
> Non-NT server can either 
> a) Ignore the PAC, and look the groups up from some database 
> b) Decode it, which requires the format. 
> I'm proposing SMBD do the latter, which passes almost all responsibility 
> for Win2K Kerb tickets onto the KDC (it's called buck passing...) 

Well, what good would it do to know the user's SIDs/RIDs if those are
not used at all on the host that smbd is running?

For one, smbd could perform algorythmic mapping of SID/RIDs to POSIX

Alternatively smbd could look up the corresponding UIDs/GIDs using
either the client principal name or the SID/RIDs referenced in the PAC
as the lookup keys.

Yet another alternative would be to have kernel and file system support
for the use of SID/RIDs instead of or in addition to POSIX UIDs/GIDs.
Luke is a fan of this option. So am I.

> NOTE - almost all - as Nicolas Williams points out, NETLOGON has to be 
> able to validate a supplied K tickets' PAC signature, but I suspect some 
> kind of "cache" of issued PACs could be used to do that without too much 
> trouble. I hope, otherwise the problem could be harder than we think. 

The NetLogon call has to pass the PAC onto the KDC for validation,
probably using the same loopback mechanism. It may or may not be
possible to cache PAC validations. To determine this would require
knowledge of the PAC format and knowledge of the IDL description of that
new NetLogon call. That all has to be reverse engineered.

> Cheers, 
> Phil 


More information about the samba-technical mailing list