PAC signature verification for Samba3

[Luke Howard]

>> I'm not sure this makes sense under POSIX though (can a non-root
>> process set its effective UID to an arbitrary one?). Even if it did you
>> want to avoid it if at all possible because the signature validation RPC
>> completely destroys the performance advantage of Kerberos authentication,
>> being that the accepting service does not need to contact a third party
>> in order to authenticate a client.
>
>The scary part of this is due to the implications of
>servicePrincipalNames.  A single key is shared between what in unix are
>services in different security contexts.  While we can't ask the kernel
>to upgrade us from non-root to another non-root user, the HTTP service
>could construct a ticket acceptable to the CIFS service, and elevate
>privileges that way.

They don't have to be shared. If you don't trust the HTTP service, then
create another account for them with a separate key and appropriate SPN.

>Given this, I need to think very carefully about how we handle those
>secrets, and how keytabs (in particular) are shared about.  I think KCM
>(Kerberos Credentials Manager) plays a role in here somewhere, but I'm
>yet to pin down exactly what it does, except to say it sounds neat :-)

KCM is a daemon-backed credentials cache, with some extra smarts for
managing initiator credentials for services. It's like the analogous
component of the LSA.

-- Luke

--