[PATCH] winbind interface to extract SIDs from PAC

Andrew Bartlett abartlet at samba.org
Wed Jul 18 02:46:40 MDT 2012

On Tue, 2012-07-17 at 11:06 -0700, Christof Schmitt wrote:

> I looked at earlier notes about the discussion we had with
> Ganesha developers. Their problem is that the principal in the
> kerberos ticket does not contain the domain information. For
> multi-domain environments Ganesha needs the user and group data
> from the PAC since that already includes the domain information.

How does Ganesha get the user's groups at the moment?  I presume it
calls initgroups or getgrouplist()?

> The original idea was to provide a winbind API call that
> translates the user and groups in the PACs to the mapped unix
> ids. While implementing this, i ended up calling sids_to_xids
> internally in winbind, and moving that call out to the client
> seemed like a simpler solution.
> I think there is value in providing also the expanded SIDs or the
> corresponding unix ids. The Ganesha developers might not be aware
> of this behavior. 

This is what I've been trying to get at.  Indeed, up until now they and
you haven't had to know that a call to initgroups() returns these groups
as well.  In short, it 'just works', which is is a good property of an
NSS interface. (See winbindd_getgroups.c and wb_gettoken.c for how this
is handled). 

Of course it doesn't 'just work' for users from a foreign domain were
winbindd has not seen the PAC, which is where we get to your desired

> I would suggest to include a winbind call now
> to get the user ids from the PAC. Ideally this call can be
> extended in the future when the infrastructure to get the
> expanded ids is available. At the same time we can talk to the
> Ganesha developers if they would also need the expanded list of
> ids.

In the further investigation, if Ganesha uses initgroups() or
getgrouplist() at the moment, then there is no reasonable choice but to
do this properly (expand the local aliases) now, as to do otherwise
would risk a regression (the answer won't be the same).

In short, what I suggest Ganesha needs is a call like getgrouplist(),
but that takes a PAC as the first argument.  Then the output can be
treated in the same way, but the results will be more complete, because
the PAC will have been consulted.

The implementation will be quite similar to wb_gettoken() (it could be
an optional behaviour of that call), except it would skip
LookupUserGroups and only call LookupUserAliases.

I hope this clarifies my concerns, and explains why I think simple PAC
parsing isn't enough for this interface. 


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list