[PATCH] winbind interface to extract SIDs from PAC

Christof Schmitt christof.schmitt at us.ibm.com
Tue Jul 3 16:14:30 MDT 2012


Christof Schmitt/Tucson/IBM wrote on 07/03/2012 03:12:07 PM:
> simo <idra at samba.org> wrote on 07/03/2012 02:26:25 PM:
> 
> > On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote: 
> > > The attached patches implement a new winbind interface function
> > > wbcPacToSids. External applications that received a kerberos
> > > ticket from an ADS can use this function to extract the SIDs from
> > > the PAC in in the kerberos ticket. This allows external
> > > applications to retrieve the user ids without reimplementing the
> > > code for decoding the PAC.
> > 
> > Christof why do you need a Winbindd extension for this ?
> > 
> > We have a library that already allows all this w/o adding intefaces to
> > winbind that we then have to support for a long time.
> > 
> > Is there a particular reason why you can't link to the appropriate
> > samba4 libraries ?
> 
> I was not aware of the samba4 libraries and it seems that the
> autotools build does not build them as
> libraries. kerberos_decode_pac seems to be available in
> libauthkrb5.so and pac_utils.h. Is this a stable interface for
> external applications?
> 
> (CC'ing Volker since he was also involved in discusisons about
> providing this interface.)

Sorry, forgot the actual cc.

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)



More information about the samba-technical mailing list