[PATCH] winbind interface to extract SIDs from PAC

Matthieu Patou mat at samba.org
Wed Jul 4 00:16:55 MDT 2012

On 07/03/2012 07:27 PM, Volker Lendecke wrote:
> On Tue, Jul 03, 2012 at 03:14:30PM -0700, Christof Schmitt wrote:
>> Christof Schmitt/Tucson/IBM wrote on 07/03/2012 03:12:07 PM:
>>> simo <idra at samba.org> wrote on 07/03/2012 02:26:25 PM:
>>>> On Tue, 2012-07-03 at 15:22 -0600, Christof Schmitt wrote:
>>>>> The attached patches implement a new winbind interface function
>>>>> wbcPacToSids. External applications that received a kerberos
>>>>> ticket from an ADS can use this function to extract the SIDs from
>>>>> the PAC in in the kerberos ticket. This allows external
>>>>> applications to retrieve the user ids without reimplementing the
>>>>> code for decoding the PAC.
>>>> Christof why do you need a Winbindd extension for this ?
>>>> We have a library that already allows all this w/o adding intefaces to
>>>> winbind that we then have to support for a long time.
>>>> Is there a particular reason why you can't link to the appropriate
>>>> samba4 libraries ?
>>> I was not aware of the samba4 libraries and it seems that the
>>> autotools build does not build them as
>>> libraries. kerberos_decode_pac seems to be available in
>>> libauthkrb5.so and pac_utils.h. Is this a stable interface for
>>> external applications?
>>> (CC'ing Volker since he was also involved in discusisons about
>>> providing this interface.)
>> Sorry, forgot the actual cc.
> When designing this idea I thought we wanted to have the
> chance to make non-GPL compatible code call this.
I hate to say this (because of the non-GPL) but +1, we are exactly in 
this case and for other need we already discussed about having winbindd 
being able to authenticate someone when given a kerberos ticket (instead 
of user/password or user/challenge/response).
In ideal world all the software is opensource, in real world it's not.
> And then there is my general tendency to use IPC over
> linking which has influenced my line of thought. Just to
> explain how I ended up recommending this approach. Sorry for
> that.
Don't be sorry I would also advocate this IPC.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list