[PATCH] winbind interface to extract SIDs from PAC

Andrew Bartlett abartlet at samba.org
Mon Jul 16 21:22:05 MDT 2012


On Fri, 2012-07-06 at 10:12 -0600, Christof Schmitt wrote:
> Volker Lendecke <Volker.Lendecke at sernet.de> wrote on 07/05/2012 11:48:10 
> PM:
> 
> > On Thu, Jul 05, 2012 at 04:31:16PM -0700, Christof Schmitt wrote:
> > > The initial patch introduces an interface to get the SIDs from
> > > the PAC. If it would be more reasonable to provide one call to
> > > get directly to the uid/gids, i can rework the patch to get the
> > > mappings internally in winbind.
> > 
> > If you can live with the two-step process, I would rather
> > have winbind extract only SIDs. Different client apps might
> > want to look at the SID values, we would have to create
> > another interface for them.
> 
> Based on the feedback i have received the two-step process is
> fine for the Ganesha requirements.

OK, but is it the best interface for the long term?

I certainly think it is a reasonable interface to offer, but as we move
to supporting things like IDMAP_BOTH, there would be value in ensuring
that Ganesha runs with the same unix token as smbd.  (IDMAP_BOTH is
where all SID values map to a UID and GID.  To get ACLs correct with
that, we need to ensure that the user SID also ends up in the security
token as a GID).

Regardless, you cannot simply write the dom_sid structures across the
pipe.  These need to be marshalled or (more in keeping with the other
interfaces) printed into a string. 

> > What might be more interesting in the future is extraction
> > of the whole PAC info, but this is definitely another call.
> 
> Yes, this would be future work.
> 
> Here is an updated version of the patch implementing the new
> winbind interface function. The master branch now has
> kerberos_pac_logon_info in a common library, so winbind can use
> this function get the PAC_LOGIN_INFO.

I've still been thinking about this, and the primary change I would like
to see from here is in what the interface aims to achieve (even if it
does not totally at present).

That is, I would like the goal to be to return the full token as a SID
list, not just the SIDs present in the PAC.  I know I said it was 'too
hard' earlier in the thread, but I think we need to get this right -
this is the most practical way for another application to obtain the
fully expanded SID list.  As a start, we should at least add the
boilerplate SID_NT_NETWORK, SID_NT_AUTHENTICATED and SID_NT_WORLD but we
should work out a way to call the routines I suggested (as far as we can
within the rules for winbindd).

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list