[PATCH] winbind interface to extract SIDs from PAC

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Jul 17 00:21:09 MDT 2012

On Tue, Jul 17, 2012 at 01:22:05PM +1000, Andrew Bartlett wrote:
> I've still been thinking about this, and the primary change I would like
> to see from here is in what the interface aims to achieve (even if it
> does not totally at present).
> That is, I would like the goal to be to return the full token as a SID
> list, not just the SIDs present in the PAC.  I know I said it was 'too
> hard' earlier in the thread, but I think we need to get this right -
> this is the most practical way for another application to obtain the
> fully expanded SID list.  As a start, we should at least add the
> should work out a way to call the routines I suggested (as far as we can
> within the rules for winbindd).

wbcAuthUserInfo has the raw info3 struct without any
SID expansion, I would vote for the same with the PAC
extraction. Christof has a need now, I would really vote for
the simplified interface he needs.

For the full PAC expansion we could create a separate union
branch in wbcAuthUserParams.password for PAC input and a
separate flag to activate the expansion.


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list