Domain Join w/ SChannel GSS-API Kerberos for JCIFS

Mon Nov 15 05:48:03 GMT 2004

On Mon, 2004-11-15 at 15:09, Michael B Allen wrote:
> I'm not very strong with protocol details so I thought I could ask a
> question here considering you guys have deciphered and implemented a lot
> of this stuff.
> 
> For JCIFS 2.0 I want to rebuild the library around a modern security
> system. To determine what I need to do I have a single use-case that I
> think touches on most of the important pieces. The use-case is to logon to
> a Kerberos domain, obtain the PAC for the user, and from that determine if
> she is a member of a certain group. My rough understanding of what needs
> to happen to do this is as follows:
> 
>   1) Join the domain
>   2) DCE bind w/ schannel
>   3) Do GSS-API to get Kerberos ticket
>   4) Send blob from ticket to KDC to get group membership
>   5) Do ACL stuff

This is incorrect.  Instead:

1) Join the domain (or have somebody else supply a keytab, via ktpass or
samba)
2) User peforms a kerberos login to your software
3) Extract and verify the PAC, inside your software
4) Do ACL stuff

If you don't have a kerberos ticket, but instead a username/password,
you just do the kerberos login yourself.

You only need to actively talk to the DC for NTLM authentication, and I
always suggest people do that via Samba anyway :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041115/9c6b66ca/attachment.bin