[PATCH] Kerberos PAC verification (and use) for samba 3
Andrew Bartlett
abartlet at samba.org
Tue Sep 20 23:47:35 GMT 2005
On Tue, 2005-09-20 at 15:55 -0700, Arup Biswas wrote:
> <Currently I'm researching why resource groups get into the extra_sids
> <array (instead of the ressource group array). Anyone ever seen SIDs being
> <put in the resource groups-array inside a PAC? I just can't trigger the
> <Windows KDC to do that.
>
> Maybe, this is because you are not adding the following condition as
> discussed in my last post?
>
> if (userFlags & LOGON_EXTRA_SIDS)
> parse_extra_sids();
Sure, but on the member server we can't influence the data the KDC is
sending in the PAC. The issue isn't knowing how or when to parse it
(this can be done a number of ways, but as you correctly point out,
there is a flag for it), but why the KDC doesn't seem to fill this in.
My guess is that this functionality was rolled into the main
ValidationInfo section of the PAC, and that the same applies to NTLM
netlogon.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050921/ae9b835c/attachment.bin
More information about the samba-technical
mailing list