[PATCH] winbind interface to extract SIDs from PAC

Christof Schmitt christof.schmitt at us.ibm.com
Wed Jul 18 15:26:01 MDT 2012

Volker Lendecke <Volker.Lendecke at sernet.de> wrote on 07/18/2012 01:08:30 

> On Wed, Jul 18, 2012 at 09:47:51AM -0700, Christof Schmitt wrote:
> > 1) Ganesha passes the PAC to wbcAuthenticateUserEx and retrieves
> >  the user name and the domain.
> Question -- does the PAC contain enough information to make
> sure it is authentic? Does it contain a checksum signed with
> the workstation password? Or do we have to pass on the whole
> ticket including all the krb5 wrapping and encryption?

In the patches so far we have passed the decrypted PAC from Ganesha to
winbindd, and we skipped the verification. Looking at the code, there
are signatures in the PAC that could be verified, e.g. passing the
service key to kerberos_decode_pac would trigger a signature

I do not know how involved passing the service key or the encrypted
ticket to winbindd and triggering the verificaton would be. I am
working on an patch that passes the decrypted PAC through
wbcAuthenticateUserEx . When that is working i can look into adding
more verification, although some hints how to best approach this would
be helpful.

> > 2) The information from this call can be used to get the uid and
> >  gid for the primary group.
> > 3) The complete list of groups for the user can be obtained
> >  through getgrouplist.
> >
> > Does this sound like a good approach?
> Yes. If that's possible, it would be the right approach
> IMHO. Step 1) would implicitly fill the netsamlogon_cache
> which can then be used in 3).


Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)

More information about the samba-technical mailing list