[PATCH] winbind interface to extract SIDs from PAC

simo idra at samba.org
Tue Jul 3 17:02:31 MDT 2012

On Wed, 2012-07-04 at 08:23 +1000, Andrew Bartlett wrote: 
> On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote:
> > The attached patches implement a new winbind interface function
> > wbcPacToSids. External applications that received a kerberos
> > ticket from an ADS can use this function to extract the SIDs from
> > the PAC in in the kerberos ticket. This allows external
> > applications to retrieve the user ids without reimplementing the
> > code for decoding the PAC.
> This looks like a good start, but I think we should go further than
> this, particularly in justifying why this belongs as a winbind command.

what's the point of doing IPC and a full round through Windbind just to
use a function that is available to you through a public API ?

Using the API means you can use this without having winbindd set up.
Forcing a user to set up winbindd just to decode the PAC doesn't struck
me as the most reasonable interface.


Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list