[PATCH] winbind interface to extract SIDs from PAC

Andrew Bartlett abartlet at samba.org
Tue Jul 3 17:05:10 MDT 2012 

On Tue, 2012-07-03 at 15:43 -0700, Christof Schmitt wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 07/03/2012 03:23:45 PM:
> 
> > On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote:
> > > The attached patches implement a new winbind interface function
> > > wbcPacToSids. External applications that received a kerberos
> > > ticket from an ADS can use this function to extract the SIDs from
> > > the PAC in in the kerberos ticket. This allows external
> > > applications to retrieve the user ids without reimplementing the
> > > code for decoding the PAC.
> > 
> > This looks like a good start, but I think we should go further than
> > this, particularly in justifying why this belongs as a winbind command.
> > 
> > I see this in two places:
> >  - Do you really want the list of SIDs, or would output as a list of
> > uid/gid values actually make more sense for your application (certainly
> > I think if we expose this, we should expose both variants).
> 
> The interface will be used by the Ganesha NFS server. Here is a
> first take on using an interface like this:
> https://github.com/rongzeng/nfs-ganesha/commit/6ecbe93fab3e5f04da61d201c10ecbb93dd6de9a
> 
> We want the mapped uid and gids. When i played with implementing
> the additional mapping to uid/gids, i ended up calling
> wbcSidsToUnixIds. Moving that to the client looked like the
> easier approach, since it is already available in wbclient.h.
> I can add another interface function to get the uid/gids,
> e.g. wbcPacToUnixIds.
> 
> >  - The list of SIDs is not complete:  We should have this return the
> > same token that would be constructed if the user logged in via CIFS.
> > That way, whatever is using this won't miss out on local groups, builtin
> > and well known SIDS.
> > 
> > This latter step will be a bit trickier (an extension to the auth4
> > interface layer would do it nicely), but I'm happy to assist with that.
> 
> I missed that part, but since the ids will be used for
> authentication, the same ids as if using CIFS should be
> available. What would be required to get the missing SIDs and ids?

Sadly, the more I dig into it, the more difficult it looks.  The call I
wanted to recommend was:

gensec_generate_session_info_pac()

With it then calling:

auth3_generate_session_info_pac() as part of the plugged in auth
context.  

However, as you will notice when digging into this, it just isn't
practical to make these calls from inside winbindd.  This code itself
contacts winbindd, changes UID and generally does things that shouldn't
be done in winbindd.

To see the difference in the SIDs, compare the SID list you get with the
output of running:

 ldbsearch -H ldap://addc -s base -b "" -Utestuser%password tokenGroups

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list