of keytabs, kerberos and winbindd

Andrew Bartlett abartlet at samba.org
Thu Jun 14 16:57:02 MDT 2012

On Thu, 2012-06-14 at 18:11 -0400, simo wrote:

> > Also I already discussed about the possibility for winbindd to accept a 
> > kerberos ticket for doing the authentication and group membership 
> > "lookup", the idea is that a user has already a kerberos ticket with PAC 
> > information it can used to authenticate and get the groups of the user 
> > without having winbindd doing a netlogon request to the DC, this is 
> > similar to what WINBINDD_PAM_AUTH do except that you specify a ticket 
> > instead of user and a password.
> Yes we could be more aggressive with caching, and have the PAC stuff
> dumped in the winbind cache is winbind is in use.

I've had a fellow developer ask if we could implement a PAC -> xids
function (return the list of unix IDs given an unparsed PAC).  That
could certainly use this, or the approach dlz_bind9 uses (bind9 does a
normal GSSAPI authentication, the dlz module replays it and extracts the

The primary issue is that for the direct 'offload the authentication to
winbind' case, you can't do a subsequent sign/seal, as you don't have
the session keys. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list