[PATCH] winbind interface to extract SIDs from PAC

[Volker Lendecke]

On Tue, Jul 03, 2012 at 03:14:30PM -0700, Christof Schmitt wrote:
> Christof Schmitt/Tucson/IBM wrote on 07/03/2012 03:12:07 PM:
> > simo <idra at samba.org> wrote on 07/03/2012 02:26:25 PM:
> > 
> > > On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote: 
> > > > The attached patches implement a new winbind interface function
> > > > wbcPacToSids. External applications that received a kerberos
> > > > ticket from an ADS can use this function to extract the SIDs from
> > > > the PAC in in the kerberos ticket. This allows external
> > > > applications to retrieve the user ids without reimplementing the
> > > > code for decoding the PAC.
> > > 
> > > Christof why do you need a Winbindd extension for this ?
> > > 
> > > We have a library that already allows all this w/o adding intefaces to
> > > winbind that we then have to support for a long time.
> > > 
> > > Is there a particular reason why you can't link to the appropriate
> > > samba4 libraries ?
> > 
> > I was not aware of the samba4 libraries and it seems that the
> > autotools build does not build them as
> > libraries. kerberos_decode_pac seems to be available in
> > libauthkrb5.so and pac_utils.h. Is this a stable interface for
> > external applications?
> > 
> > (CC'ing Volker since he was also involved in discusisons about
> > providing this interface.)
> 
> Sorry, forgot the actual cc.

When designing this idea I thought we wanted to have the
chance to make non-GPL compatible code call this.

And then there is my general tendency to use IPC over
linking which has influenced my line of thought. Just to
explain how I ended up recommending this approach. Sorry for
that.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de