[PATCH] winbind interface to extract SIDs from PAC

Andrew Bartlett abartlet at samba.org
Tue Jul 3 17:20:53 MDT 2012

On Tue, 2012-07-03 at 19:02 -0400, simo wrote:
> On Wed, 2012-07-04 at 08:23 +1000, Andrew Bartlett wrote: 
> > On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote:
> > > The attached patches implement a new winbind interface function
> > > wbcPacToSids. External applications that received a kerberos
> > > ticket from an ADS can use this function to extract the SIDs from
> > > the PAC in in the kerberos ticket. This allows external
> > > applications to retrieve the user ids without reimplementing the
> > > code for decoding the PAC.
> > 
> > This looks like a good start, but I think we should go further than
> > this, particularly in justifying why this belongs as a winbind command.
> Andrew,
> what's the point of doing IPC and a full round through Windbind just to
> use a function that is available to you through a public API ?
> Using the API means you can use this without having winbindd set up.
> Forcing a user to set up winbindd just to decode the PAC doesn't struck
> me as the most reasonable interface.


Indeed!  I guess I didn't think about it that way, perhaps because I was
thinking about the details required for the full expansion of groups,
and handling the id mapping in the same call.

On further investigation, the group expansion is going to be quite
tricky anyway.

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list