[PATCH] winbind interface to extract SIDs from PAC

Andrew Bartlett abartlet at samba.org
Wed Aug 29 15:52:34 MDT 2012 

On Fri, 2012-08-24 at 10:04 +1000, Andrew Bartlett wrote:
> On Fri, 2012-08-17 at 14:20 -0700, Christof Schmitt wrote:
> > Andrew Bartlett <abartlet at samba.org> wrote on 08/10/2012 02:32:41 PM:
> > 
> > > On Fri, 2012-08-10 at 11:12 -0700, Christof Schmitt wrote:
> > > This really needs some unit tests.  That way we can keep it working.
> > > 
> > > I know this might seem quite difficult, but there is a way to do it. 
> > > 
> > > What we need to do is very much like the RPC-PAC test, so I would
> > > suggest extending that test to have an additional case that uses the
> > > local (existing) machine account rather than creating one.  This would
> > > then run against the 'member' environment in our selftest (and add
> > > knownfail entries for the environments were the new test doesn't run
> > > against an s3 winbindd, or put it in a new suite).
> > > 
> > > Like how this test feeds the PAC signature to the netlogon server for
> > > verification, this would feed the whole blob.  The common credentials
> > > layer can read the (s3) secrets.tdb, so it should be able to accept the
> > > kerberos ticket, get the PAC and then both forward it on as well as do a
> > > local parse.  That should allow you to then confirm all the details in
> > > the reply. 
> > 
> > I have been going through the smbtorture and libcli code, but i could
> > not find a good way to obtain the ticket with the PAC. I might need
> > some help to understand this part. smbtorture can take the flags
> > --machine-pass -k yes to use the machine account and kerberos. What is
> > the next step to get the ticket? Does the cli code put it in
> > cli_credentials? Or would the testcase need to use the gensec_client
> > calls?
> 
> This is the start of the test we worked on today.
> 
> It fails in Samba4's gssapi server, not being able to find the right
> entry in the in-memory keytab.  I'll try and sort that out if you don't
> manage to.
> 
> Hopefully this gives you a much better idea what I was thinking of when
> I started you on this wild goose chase ;-)

I've fixed the infrastructure, and am autobuilding this:

https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/winbind-pac-test

Adding your test on top should be pretty trivial from here, sorry for
the delay.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list