[PATCH] winbind interface to extract SIDs from PAC
Christof Schmitt
christof.schmitt at us.ibm.com
Tue Jul 3 18:03:29 MDT 2012
samba-technical-bounces at lists.samba.org wrote on 07/03/2012 04:20:53 PM:
> On Tue, 2012-07-03 at 19:02 -0400, simo wrote:
> > On Wed, 2012-07-04 at 08:23 +1000, Andrew Bartlett wrote:
> > > On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote:
> > > > The attached patches implement a new winbind interface function
> > > > wbcPacToSids. External applications that received a kerberos
> > > > ticket from an ADS can use this function to extract the SIDs from
> > > > the PAC in in the kerberos ticket. This allows external
> > > > applications to retrieve the user ids without reimplementing the
> > > > code for decoding the PAC.
> > >
> > > This looks like a good start, but I think we should go further than
> > > this, particularly in justifying why this belongs as a winbind
command.
> >
> > Andrew,
> > what's the point of doing IPC and a full round through Windbind just
to
> > use a function that is available to you through a public API ?
> >
> > Using the API means you can use this without having winbindd set up.
> > Forcing a user to set up winbindd just to decode the PAC doesn't
struck
> > me as the most reasonable interface.
>
> Simo,
>
> Indeed! I guess I didn't think about it that way, perhaps because I was
> thinking about the details required for the full expansion of groups,
> and handling the id mapping in the same call.
>
> On further investigation, the group expansion is going to be quite
> tricky anyway.
If the group expansion is too tricky, then i can leave that out
for now.
The API provides kerberos_decode_pac, and then the application
has to find PAC_TYPE_LOGON_INFO, pull all the data and call
winbind to translate the SIDS to uid/gids. Would that be a good
approach to get the mapped ids from the PAC?
With the winbind patch, kerberos_logon_info_from_pac and
sid_array_from_info3 would already get the SIDs. But maybe it is
not too bad to do something similar in the application. I will
look into this approach.
Regards,
Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
More information about the samba-technical
mailing list