Foreign Principal Mapping

Benjamin Bennett ben at
Sun Oct 19 10:11:30 GMT 2003

Andrew Bartlett wrote:
> This looks very, very interesting, however there are a few
> implementation issues you need to look at.  smbd must not contact the DC
> directly - we need it to ask winbindd.  This allows winbindd to cache
> the connection to the DC, as well as the resultant replies.
> What we really should be doing here is:  
>  - For 'normal' logins, actually use the data contained in the PAC
>  - For 'mapped' logins, ask the ADS server for the equivalent data (SIDs
> etc).
> Andrew Bartlett

Actually, I think that using the PAC data is enough for both cases.

According to the M$ spec, one case when PAC data is generated is "during 
a TGS request when the client has no PAC and the target is a service in 
the domain"

So when a client with a foreign and pac-less, but trusted, tgt requests 
a service tkt from the DC, the tkt they receive and then present to the 
samba box should be PAC'd (so to speak). This is in fact happening, and 
the correct (domain user) RID and other info is there.

What are the plans for looking up users by rid instead of by name?


More information about the samba-technical mailing list