[PATCH] winbind interface to extract SIDs from PAC

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Jul 18 14:08:30 MDT 2012

On Wed, Jul 18, 2012 at 09:47:51AM -0700, Christof Schmitt wrote:
> 1) Ganesha passes the PAC to wbcAuthenticateUserEx and retrieves
>  the user name and the domain.

Question -- does the PAC contain enough information to make
sure it is authentic? Does it contain a checksum signed with
the workstation password? Or do we have to pass on the whole
ticket including all the krb5 wrapping and encryption?

> 2) The information from this call can be used to get the uid and
>  gid for the primary group.
> 3) The complete list of groups for the user can be obtained
>  through getgrouplist.
> Does this sound like a good approach?

Yes. If that's possible, it would be the right approach
IMHO. Step 1) would implicitly fill the netsamlogon_cache
which can then be used in 3).


More information about the samba-technical mailing list