Foreign Principal Mapping
Benjamin Bennett
ben at phys.psu.edu
Sun Oct 19 10:11:30 GMT 2003
Andrew Bartlett wrote:
> This looks very, very interesting, however there are a few
> implementation issues you need to look at. smbd must not contact the DC
> directly - we need it to ask winbindd. This allows winbindd to cache
> the connection to the DC, as well as the resultant replies.
>
> What we really should be doing here is:
> - For 'normal' logins, actually use the data contained in the PAC
> - For 'mapped' logins, ask the ADS server for the equivalent data (SIDs
> etc).
>
> Andrew Bartlett
>
Actually, I think that using the PAC data is enough for both cases.
According to the M$ spec, one case when PAC data is generated is "during
a TGS request when the client has no PAC and the target is a service in
the domain"
So when a client with a foreign and pac-less, but trusted, tgt requests
a service tkt from the DC, the tkt they receive and then present to the
samba box should be PAC'd (so to speak). This is in fact happening, and
the correct (domain user) RID and other info is there.
What are the plans for looking up users by rid instead of by name?
--ben
More information about the samba-technical
mailing list