AD attributes queried by 'id DOMAIN/user'
Richard Sharpe
realrichardsharpe at gmail.com
Wed May 29 16:05:12 MDT 2013
On Wed, May 29, 2013 at 1:24 PM, Jeremy Allison <jra at samba.org> wrote:
> On Wed, May 29, 2013 at 07:28:48AM +0200, Andreas Schneider wrote:
>> On Tuesday 28 May 2013 10:24:12 C.J. Adams-Collier KF7BMP wrote:
>> > Hey folks,
>> >
>> > We're experiencing some long delays getting responses back from winbind
>> > via nsswitch. Do any of you know off the top of your head which AD
>> > attributes are being queried by id via nsswitch? I could walk through
>> > nss_winbind_linux.c with gdb, but that doesn't sound like a fun way to
>> > spend my day.
>>
>> Take a look at:
>>
>> https://blog.cryptomilk.org/2012/11/08/understanding-winbind/
>
> This is *really good* work ! Thanks. Looking forward to
> more installments :-).
While this is indeed good info, this confuses me:
'If Kerberos is involved the Winbind child handling LEVEL1 will
authenticate the user talking to the KDC of the domain controller. All
information will be stored in the PAC (Privilege Attribute
Certificate) of the Kerberos ticket (which is similar to the info3
structure in the LogonSamLogon response).'
I thought that the PAC was in the ticket presented by the client,
meaning that winbindd was not needed to do authentication because the
smbd has all the info it needs.
Is this wrong?
On the other hand, winbindd is needed to generate UNIX account info
for the use, I think.
Can someone let me know where I have gone wrong?
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list