[PATCH] winbind interface to extract SIDs from PAC
abartlet at samba.org
Mon Jul 16 21:22:05 MDT 2012
On Fri, 2012-07-06 at 10:12 -0600, Christof Schmitt wrote:
> Volker Lendecke <Volker.Lendecke at sernet.de> wrote on 07/05/2012 11:48:10
> > On Thu, Jul 05, 2012 at 04:31:16PM -0700, Christof Schmitt wrote:
> > > The initial patch introduces an interface to get the SIDs from
> > > the PAC. If it would be more reasonable to provide one call to
> > > get directly to the uid/gids, i can rework the patch to get the
> > > mappings internally in winbind.
> > If you can live with the two-step process, I would rather
> > have winbind extract only SIDs. Different client apps might
> > want to look at the SID values, we would have to create
> > another interface for them.
> Based on the feedback i have received the two-step process is
> fine for the Ganesha requirements.
OK, but is it the best interface for the long term?
I certainly think it is a reasonable interface to offer, but as we move
to supporting things like IDMAP_BOTH, there would be value in ensuring
that Ganesha runs with the same unix token as smbd. (IDMAP_BOTH is
where all SID values map to a UID and GID. To get ACLs correct with
that, we need to ensure that the user SID also ends up in the security
token as a GID).
Regardless, you cannot simply write the dom_sid structures across the
pipe. These need to be marshalled or (more in keeping with the other
interfaces) printed into a string.
> > What might be more interesting in the future is extraction
> > of the whole PAC info, but this is definitely another call.
> Yes, this would be future work.
> Here is an updated version of the patch implementing the new
> winbind interface function. The master branch now has
> kerberos_pac_logon_info in a common library, so winbind can use
> this function get the PAC_LOGIN_INFO.
I've still been thinking about this, and the primary change I would like
to see from here is in what the interface aims to achieve (even if it
does not totally at present).
That is, I would like the goal to be to return the full token as a SID
list, not just the SIDs present in the PAC. I know I said it was 'too
hard' earlier in the thread, but I think we need to get this right -
this is the most practical way for another application to obtain the
fully expanded SID list. As a start, we should at least add the
boilerplate SID_NT_NETWORK, SID_NT_AUTHENTICATED and SID_NT_WORLD but we
should work out a way to call the routines I suggested (as far as we can
within the rules for winbindd).
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical