[PATCH] winbind interface to extract SIDs from PAC

simo idra at samba.org
Wed Jul 18 15:14:20 MDT 2012

On Wed, 2012-07-18 at 22:08 +0200, Volker Lendecke wrote: 
> On Wed, Jul 18, 2012 at 09:47:51AM -0700, Christof Schmitt wrote:
> > 1) Ganesha passes the PAC to wbcAuthenticateUserEx and retrieves
> >  the user name and the domain.
> Question -- does the PAC contain enough information to make
> sure it is authentic? Does it contain a checksum signed with
> the workstation password? Or do we have to pass on the whole
> ticket including all the krb5 wrapping and encryption?

You need the pac blob, it contains the server and the kdc signatures.
The logon_info is one of the buffers signed by those.

The problem is that you need to fully trust the service that receives
the PAC if it has access to the keytab, because possession of the long
term secret means you can fake-sign a PAC. However if you are willing to
waste time with RPC calls you can also ask the KDC to check its
signature is real. It's a b it of waste though to have to contact the
KDC. It would be better to not give long term keys to services at all so
you do not have to.

> > 2) The information from this call can be used to get the uid and
> >  gid for the primary group.
> > 3) The complete list of groups for the user can be obtained
> >  through getgrouplist.
> > 
> > Does this sound like a good approach?
> Yes. If that's possible, it would be the right approach
> IMHO. Step 1) would implicitly fill the netsamlogon_cache
> which can then be used in 3).

Indeed, passing the PAC to winbindd and letting it prime the cache is
the right approach.


Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list