[PATCH] winbind interface to extract SIDs from PAC

Christof Schmitt christof.schmitt at us.ibm.com
Tue Jul 17 12:06:06 MDT 2012


Andrew Bartlett <abartlet at samba.org> wrote on 07/16/2012 11:30:25 PM:

> On Tue, 2012-07-17 at 08:21 +0200, Volker Lendecke wrote:
> > On Tue, Jul 17, 2012 at 01:22:05PM +1000, Andrew Bartlett wrote:
> > > I've still been thinking about this, and the primary change I would 
like
> > > to see from here is in what the interface aims to achieve (even if 
it
> > > does not totally at present).
> > > 
> > > That is, I would like the goal to be to return the full token as a 
SID
> > > list, not just the SIDs present in the PAC.  I know I said it was 
'too
> > > hard' earlier in the thread, but I think we need to get this right -
> > > this is the most practical way for another application to obtain the
> > > fully expanded SID list.  As a start, we should at least add the
> > > boilerplate SID_NT_NETWORK, SID_NT_AUTHENTICATED and SID_NT_WORLD 
but we
> > > should work out a way to call the routines I suggested (as far as we 
can
> > > within the rules for winbindd).
> > 
> > wbcAuthUserInfo has the raw info3 struct without any
> > SID expansion, I would vote for the same with the PAC
> > extraction. Christof has a need now, I would really vote for
> > the simplified interface he needs.
> 
> The only reason wbcAuthUserInfo works is because the only caller I know
> of does substantial work to transform it into a useful thing.  Indeed,
> to me that is quite similar to the work being asked here.
> 
> I also think this answers the question better that Simo put as to why
> this isn't just an API call.  That is, adding a IPC call to do a
> structure parse seems like a licence workaround, while adding an IPC
> call to do complex internal database queries is instead a reasonable
> engineering solution that also happens to provide a licence boundary.
> 
> Christof,
> 
> So I am clear, what is your overall need here?  Rather than what code
> might do the task, can we step a layer up the stack for a moment, and
> discuss what exactly you are trying to achieve?

I looked at earlier notes about the discussion we had with
Ganesha developers. Their problem is that the principal in the
kerberos ticket does not contain the domain information. For
multi-domain environments Ganesha needs the user and group data
from the PAC since that already includes the domain information.

The original idea was to provide a winbind API call that
translates the user and groups in the PACs to the mapped unix
ids. While implementing this, i ended up calling sids_to_xids
internally in winbind, and moving that call out to the client
seemed like a simpler solution.

I think there is value in providing also the expanded SIDs or the
corresponding unix ids. The Ganesha developers might not be aware
of this behavior. I would suggest to include a winbind call now
to get the user ids from the PAC. Ideally this call can be
extended in the future when the infrastructure to get the
expanded ids is available. At the same time we can talk to the
Ganesha developers if they would also need the expanded list of
ids.

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)



More information about the samba-technical mailing list