[PATCH] winbind interface to extract SIDs from PAC
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Jul 17 00:21:09 MDT 2012
On Tue, Jul 17, 2012 at 01:22:05PM +1000, Andrew Bartlett wrote:
> I've still been thinking about this, and the primary change I would like
> to see from here is in what the interface aims to achieve (even if it
> does not totally at present).
>
> That is, I would like the goal to be to return the full token as a SID
> list, not just the SIDs present in the PAC. I know I said it was 'too
> hard' earlier in the thread, but I think we need to get this right -
> this is the most practical way for another application to obtain the
> fully expanded SID list. As a start, we should at least add the
> boilerplate SID_NT_NETWORK, SID_NT_AUTHENTICATED and SID_NT_WORLD but we
> should work out a way to call the routines I suggested (as far as we can
> within the rules for winbindd).
wbcAuthUserInfo has the raw info3 struct without any
SID expansion, I would vote for the same with the PAC
extraction. Christof has a need now, I would really vote for
the simplified interface he needs.
For the full PAC expansion we could create a separate union
branch in wbcAuthUserParams.password for PAC input and a
separate flag to activate the expansion.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list