[PATCH] winbind interface to extract SIDs from PAC

Christian Ambach ambi at samba.org
Tue Jul 17 07:05:53 MDT 2012

On 07/17/2012 09:08 AM, Volker Lendecke wrote:

> To avoid timezone issues, let me step in here. NFS ganesha needs to
> expand the PAC to get a reliable list of user and group IDs. To the
> best of my knowledge this is the only way for authorization to work
> reliably. A member server has no way to figure out the group list it
> was presented in the PAC. NFS ganesha at this point has no interest
> in expanded groups or other token elements like session keys etc.

Under which conditions would Ganesha let Samba do the analysis of a PAC?
My understanding is that this only applies to Windows-style KDC
environments in which the ticket contains a PAC.
A MIT KDC would not provide it.

So if this can only happen in Windows environments, we sort of have to
expect that authorization on the filesystem might also be
Windows style
This would require that smbd and Ganesha use the same Unix token (as the
ACLs might contain BUILTIN or whatever SIDS that are not in the PAC
directly, but would be added by smbd).

So I see Andrew's point that it would make most sense to return the
complete list of uid + primary gid + auxiliary gids to make this useful
for external applications like Ganesha. Passing back only the list of
SIDs to Ganesha would in this context mean that Ganesha will knock on
winbindd's doors again very quickly and request the SIDS->xid
mappings from winbindd. So why not give away everything in one step?

If the runway is too short (I don't know exactly when Ganesha would need
it), we still might want to start with a complete interface but only
give back some minimum results that are easy to implement and expand
that later)?


More information about the samba-technical mailing list