[PATCH] winbind interface to extract SIDs from PAC

Christof Schmitt christof.schmitt at us.ibm.com
Mon Jul 23 16:07:25 MDT 2012

Andrew Bartlett <abartlet at samba.org> wrote on 07/20/2012 04:50:47 PM:

> On Thu, 2012-07-19 at 16:32 -0700, Christof Schmitt wrote:
> > I am also looking where to start implementing this. Is there a list of
> > known keys available in winbind that can be tried for the PAC
> > verification?
> The gse_krb5 code in source3/librpc/crypto creates a set of possible
> keys to hand to GSSAPI from the secrets.tdb or keytab.  It will be one
> of those. 
> > Another thought would be that the PAC verification is only required
> > for adding the PAC data to the netsamlogon cache. Without this step,
> > winbindd would contact the DC on the getgrouplist call. The info3 data
> > returned from wbcAuthenticateUserEx would already help with the
> > Ganesha authentication requirements. Would it make sense to first
> > implement the PAC interface for wbcAuthenticateUserEx and add the PAC
> > verification and cache priming later? Or am i missing something here
> > and this does not work?
> That gets us back to where we started, unless the wbcAuthenticateUserEx
> call is extended to do the token expansion (perhaps as an extra flag for
> both NTLM and PAC use cases).  This wouldn't be too hard to do however. 
> Simo's point about it being better to prime the cache and use the
> original API calls would still stand however. 

Understood :) Here is the first version of the new interface. It
extends the wbcAuthenticateUserEx call so that a client can provide a
PAC. I extended the AUTH_CRAP call since the suggestion was to use the
privileged pipe and AUTH_CRAP already uses this pipe. The usage from
the client would like this:

        params.level = WBC_AUTH_USER_LEVEL_PAC;
        params.password.pac.data = (uint8_t *)pac;
        params.password.pac.length = length;

        wbc_err = wbcAuthenticateUserEx(&params, &info, &error);

If this is acceptable, i will look into the PAC signature verification


Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-winbind-Extend-wbcAuthenticateUserEx-to-provide-PAC.patch
Type: application/octet-stream
Size: 8859 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120723/7d503b77/attachment.obj>

More information about the samba-technical mailing list