[PATCH] winbind interface to extract SIDs from PAC

[Christof Schmitt]

Andrew Bartlett <abartlet at samba.org> wrote on 08/10/2012 02:32:41 PM:

> On Fri, 2012-08-10 at 11:12 -0700, Christof Schmitt wrote:
> This really needs some unit tests.  That way we can keep it working.
> 
> I know this might seem quite difficult, but there is a way to do it. 
> 
> What we need to do is very much like the RPC-PAC test, so I would
> suggest extending that test to have an additional case that uses the
> local (existing) machine account rather than creating one.  This would
> then run against the 'member' environment in our selftest (and add
> knownfail entries for the environments were the new test doesn't run
> against an s3 winbindd, or put it in a new suite).
> 
> Like how this test feeds the PAC signature to the netlogon server for
> verification, this would feed the whole blob.  The common credentials
> layer can read the (s3) secrets.tdb, so it should be able to accept the
> kerberos ticket, get the PAC and then both forward it on as well as do a
> local parse.  That should allow you to then confirm all the details in
> the reply. 

I have been going through the smbtorture and libcli code, but i could
not find a good way to obtain the ticket with the PAC. I might need
some help to understand this part. smbtorture can take the flags
--machine-pass -k yes to use the machine account and kerberos. What is
the next step to get the ticket? Does the cli code put it in
cli_credentials? Or would the testcase need to use the gensec_client
calls?

Thanks,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)