of keytabs, kerberos and winbindd
abartlet at samba.org
Thu Jun 14 16:57:02 MDT 2012
On Thu, 2012-06-14 at 18:11 -0400, simo wrote:
> > Also I already discussed about the possibility for winbindd to accept a
> > kerberos ticket for doing the authentication and group membership
> > "lookup", the idea is that a user has already a kerberos ticket with PAC
> > information it can used to authenticate and get the groups of the user
> > without having winbindd doing a netlogon request to the DC, this is
> > similar to what WINBINDD_PAM_AUTH do except that you specify a ticket
> > instead of user and a password.
> Yes we could be more aggressive with caching, and have the PAC stuff
> dumped in the winbind cache is winbind is in use.
I've had a fellow developer ask if we could implement a PAC -> xids
function (return the list of unix IDs given an unparsed PAC). That
could certainly use this, or the approach dlz_bind9 uses (bind9 does a
normal GSSAPI authentication, the dlz module replays it and extracts the
The primary issue is that for the direct 'offload the authentication to
winbind' case, you can't do a subsequent sign/seal, as you don't have
the session keys.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical