[PATCH] winbind interface to extract SIDs from PAC

Christof Schmitt christof.schmitt at us.ibm.com
Thu Jul 26 15:33:45 MDT 2012

simo <idra at samba.org> wrote on 07/24/2012 10:51:10 AM:
> On Tue, 2012-07-24 at 22:28 +1000, Andrew Bartlett wrote: 
> > Can you explain more how would winbindd fit in with FreeIPA in this
> > situation? 
> We use winbindd on the DC to contact trust domains. In this
> configuration Winbindd only has the cifs/fqdn credentials and access to
> the cross-realm password.
> I was thinking it may be a good idea to allow for a more trusted
> interface where validation is implied.
> However you convinced me that for normal services the additional
> validation, by default is valuable, I will add conditionals later if
> needed.

Here is an updated version of the winbind interface. It now tries to
verify the PAC signatures. If the verification succeeds, the
information from the PAC is stored in the netlogon_cache. The info3 is
always returned to the client, independent of the verification result.


Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-winbind-Extend-wbcAuthenticateUserEx-to-provide-PAC.patch
Type: application/octet-stream
Size: 10796 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120726/d87ffed8/attachment.obj>

More information about the samba-technical mailing list