[PATCH] Kerberos PAC verification (and use) for samba 3

Arup Biswas abiswas at pillardata.com
Wed Sep 21 00:00:34 GMT 2005

I must admit that I don't know why KDC does not fill in that field but
adding the condition seems to 
pass my (limited) tests. Would be glad if that fixes the resource
group/extra sids mixup problem.


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, September 20, 2005 4:48 PM
To: Arup Biswas
Cc: samba-technical at lists.samba.org
Subject: Re: [PATCH] Kerberos PAC verification (and use) for samba 3

On Tue, 2005-09-20 at 15:55 -0700, Arup Biswas wrote:
> <Currently I'm researching why resource groups get into the extra_sids

> <array (instead of the ressource group array). Anyone ever seen SIDs 
> being <put in the resource groups-array inside a PAC? I just can't 
> trigger the <Windows KDC to do that.
> Maybe, this is because you are not adding the following condition as 
> discussed in my last post?
> if (userFlags & LOGON_EXTRA_SIDS)
>     parse_extra_sids();

Sure, but on the member server we can't influence the data the KDC is
sending in the PAC.  The issue isn't knowing how or when to parse it
(this can be done a number of ways, but as you correctly point out,
there is a flag for it), but why the KDC doesn't seem to fill this in.

My guess is that this functionality was rolled into the main
ValidationInfo section of the PAC, and that the same applies to NTLM

Andrew Bartlett

Andrew Bartlett
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

More information about the samba-technical mailing list