[PATCH] winbind interface to extract SIDs from PAC
simo
idra at samba.org
Tue Jul 3 16:58:13 MDT 2012
On Tue, 2012-07-03 at 15:12 -0700, Christof Schmitt wrote:
> simo <idra at samba.org> wrote on 07/03/2012 02:26:25 PM:
>
> > On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote:
> > > The attached patches implement a new winbind interface function
> > > wbcPacToSids. External applications that received a kerberos
> > > ticket from an ADS can use this function to extract the SIDs from
> > > the PAC in in the kerberos ticket. This allows external
> > > applications to retrieve the user ids without reimplementing the
> > > code for decoding the PAC.
> >
> > Christof why do you need a Winbindd extension for this ?
> >
> > We have a library that already allows all this w/o adding intefaces to
> > winbind that we then have to support for a long time.
> >
> > Is there a particular reason why you can't link to the appropriate
> > samba4 libraries ?
>
> I was not aware of the samba4 libraries and it seems that the
> autotools build does not build them as
> libraries. kerberos_decode_pac seems to be available in
> libauthkrb5.so and pac_utils.h. Is this a stable interface for
> external applications?
>
> (CC'ing Volker since he was also involved in discusisons about
> providing this interface.)
Yes, we use it in the FreeIPA/SSSD projects for example.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list