[PATCH] winbind interface to extract SIDs from PAC

Christof Schmitt christof.schmitt at us.ibm.com
Thu Jul 5 14:58:29 MDT 2012

christof.schmitt at us.ibm.com wrote on 07/03/2012 05:03:29 PM:

> If the group expansion is too tricky, then i can leave that out
> for now.
> The API provides kerberos_decode_pac, and then the application
> has to find PAC_TYPE_LOGON_INFO, pull all the data and call
> winbind to translate the SIDS to uid/gids.  Would that be a good
> approach to get the mapped ids from the PAC?
> With the winbind patch, kerberos_logon_info_from_pac and
> sid_array_from_info3 would already get the SIDs. But maybe it is
> not too bad to do something similar in the application. I will
> look into this approach.

It seems that the extraction of SIDs from a PAC is doable with
the libraries.  I can get the SIDs by calling these functions:
- kerberos_pac_logon_info
- make_user_info_dc_pac

The SIDs from user_info->sids can be translated to uid/gids with
wbcSidsToUnixIds. Is this an acceptable use of Samba libraries by
an external application? My biggest fear is that those functions
are considered internal to Samba and external applications would
break when they are changed.


Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)

More information about the samba-technical mailing list