[PATCH] winbind interface to extract SIDs from PAC

Tue Jul 24 11:27:40 MDT 2012

Andrew Bartlett <abartlet at samba.org> wrote on 07/24/2012 05:28:22 AM:

> On Mon, 2012-07-23 at 19:52 -0400, simo wrote:
> > On Mon, 2012-07-23 at 16:07 -0600, Christof Schmitt wrote: 
> > >         params.level = WBC_AUTH_USER_LEVEL_PAC;
> > >         params.password.pac.data = (uint8_t *)pac;
> > >         params.password.pac.length = length;
> > > 
> > >         wbc_err = wbcAuthenticateUserEx(&params, &info, &error);
> > > 
> > > If this is acceptable, i will look into the PAC signature 
verification
> > > next.
> > 
> > Andrew I would prefer a separate pipe, otherwise it is not easy to
> > distinguish between apache/squid/etc and a more trusted service.
> > Note that you do not necessarily have the keys to check the PAC in
> > winbind as a different service key may be used (I know not common in 
AD
> > but common in FreeIPA for example).
> 
> Simo,
> 
> Can you explain more how would winbindd fit in with FreeIPA in this
> situation? 
> 
> That said, I do see how having SQUID - ie totally untrusted - presenting
> a PAC and obtaining the full list of local groups, as SIDs could be
> very, very useful in an access control situation.

I am trying to find out what the next step would be to get closer to
the final solution. Is the proposed extension of struct
wbcAuthUserParams to provide the PAC acceptable?  We could always add
an option through the flags field (WBC_AUTH_PARAM_FLAGS) if different
modes are required for this call.

Should this call pass through the privileged pipe or through a new
one?

> Even building from this interface, we could have a very useful API:
>  - return the info3 from the PAC/info3

This is what the last patch already does.

>  - FLAG_ALL_SIDS to do the token expansion in both cases (needed because
> current NTLM API doesn't do it)

What are "both cases"? Would this be an additional option in the flags
field?

>  - if we happen to trust the PAC signing key, stash it in the cache for
> initgroups() to do the right thing.

Should the implementation check if a signature matches, and only put
the info3 in the cache if it does? We could always try this and put
the result in user_flags in struct wbcAuthUserInfo.

> On the flip side, extra winbind interfaces calls are free, and if that
> makes you more comfortable, then it shouldn't change the code much. 

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)