[PATCH] winbind interface to extract SIDs from PAC
Volker.Lendecke at SerNet.DE
Wed Jul 18 14:08:30 MDT 2012
On Wed, Jul 18, 2012 at 09:47:51AM -0700, Christof Schmitt wrote:
> 1) Ganesha passes the PAC to wbcAuthenticateUserEx and retrieves
> the user name and the domain.
Question -- does the PAC contain enough information to make
sure it is authentic? Does it contain a checksum signed with
the workstation password? Or do we have to pass on the whole
ticket including all the krb5 wrapping and encryption?
> 2) The information from this call can be used to get the uid and
> gid for the primary group.
> 3) The complete list of groups for the user can be obtained
> through getgrouplist.
> Does this sound like a good approach?
Yes. If that's possible, it would be the right approach
IMHO. Step 1) would implicitly fill the netsamlogon_cache
which can then be used in 3).
More information about the samba-technical