Domain Join w/ SChannel GSS-API Kerberos for JCIFS
Michael B Allen
mba2000 at ioplex.com
Mon Nov 15 04:09:15 GMT 2004
I'm not very strong with protocol details so I thought I could ask a
question here considering you guys have deciphered and implemented a lot
of this stuff.
For JCIFS 2.0 I want to rebuild the library around a modern security
system. To determine what I need to do I have a single use-case that I
think touches on most of the important pieces. The use-case is to logon to
a Kerberos domain, obtain the PAC for the user, and from that determine if
she is a member of a certain group. My rough understanding of what needs
to happen to do this is as follows:
1) Join the domain
2) DCE bind w/ schannel
3) Do GSS-API to get Kerberos ticket
4) Send blob from ticket to KDC to get group membership
5) Do ACL stuff
We have ncacn_np RPCs workin' pretty well at this point. I've been looking
at the GSS-API RFC on the train (man it's long-winded!). I have a few
packet captures of pass-through authentication. Ideally I want to write a
Win32 program that performs the entire exchange against Samba so I can run
it over and over from the beginning (initially with schannel turned off).
Can someone describe the exact sequence of calls I need? What's a good
plan?
Considering how pervasive Java and MS are on large corporate Intranets,
fully integrating the two while retaining platform independence would be a
great alternative to .NET. I greatly appreciate any help.
Mike
More information about the samba-technical
mailing list