[PATCH] winbind interface to extract SIDs from PAC

Christof Schmitt christof.schmitt at us.ibm.com
Tue Jul 3 16:43:51 MDT 2012

Andrew Bartlett <abartlet at samba.org> wrote on 07/03/2012 03:23:45 PM:

> On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote:
> > The attached patches implement a new winbind interface function
> > wbcPacToSids. External applications that received a kerberos
> > ticket from an ADS can use this function to extract the SIDs from
> > the PAC in in the kerberos ticket. This allows external
> > applications to retrieve the user ids without reimplementing the
> > code for decoding the PAC.
> This looks like a good start, but I think we should go further than
> this, particularly in justifying why this belongs as a winbind command.
> I see this in two places:
>  - Do you really want the list of SIDs, or would output as a list of
> uid/gid values actually make more sense for your application (certainly
> I think if we expose this, we should expose both variants).

The interface will be used by the Ganesha NFS server. Here is a
first take on using an interface like this:

We want the mapped uid and gids. When i played with implementing
the additional mapping to uid/gids, i ended up calling
wbcSidsToUnixIds. Moving that to the client looked like the
easier approach, since it is already available in wbclient.h.
I can add another interface function to get the uid/gids,
e.g. wbcPacToUnixIds.

>  - The list of SIDs is not complete:  We should have this return the
> same token that would be constructed if the user logged in via CIFS.
> That way, whatever is using this won't miss out on local groups, builtin
> and well known SIDS.
> This latter step will be a bit trickier (an extension to the auth4
> interface layer would do it nicely), but I'm happy to assist with that.

I missed that part, but since the ids will be used for
authentication, the same ids as if using CIFS should be
available. What would be required to get the missing SIDs and ids?


Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)

More information about the samba-technical mailing list