[PATCH] winbind interface to extract SIDs from PAC

Andrew Bartlett abartlet at samba.org
Tue Jul 3 16:23:45 MDT 2012

On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote:
> The attached patches implement a new winbind interface function
> wbcPacToSids. External applications that received a kerberos
> ticket from an ADS can use this function to extract the SIDs from
> the PAC in in the kerberos ticket. This allows external
> applications to retrieve the user ids without reimplementing the
> code for decoding the PAC.

This looks like a good start, but I think we should go further than
this, particularly in justifying why this belongs as a winbind command.

I see this in two places:
 - Do you really want the list of SIDs, or would output as a list of
uid/gid values actually make more sense for your application (certainly
I think if we expose this, we should expose both variants).
 - The list of SIDs is not complete:  We should have this return the
same token that would be constructed if the user logged in via CIFS.
That way, whatever is using this won't miss out on local groups, builtin
and well known SIDS.

This latter step will be a bit trickier (an extension to the auth4
interface layer would do it nicely), but I'm happy to assist with that.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list