AD attributes queried by 'id DOMAIN/user'

Simo idra at samba.org
Wed May 29 16:08:49 MDT 2013


On 05/29/2013 06:05 PM, Richard Sharpe wrote:
> On Wed, May 29, 2013 at 1:24 PM, Jeremy Allison <jra at samba.org> wrote:
>> On Wed, May 29, 2013 at 07:28:48AM +0200, Andreas Schneider wrote:
>>> On Tuesday 28 May 2013 10:24:12 C.J. Adams-Collier KF7BMP wrote:
>>>> Hey folks,
>>>>
>>>> We're experiencing some long delays getting responses back from winbind
>>>> via nsswitch.  Do any of you know off the top of your head which AD
>>>> attributes are being queried by id via nsswitch?  I could walk through
>>>> nss_winbind_linux.c with gdb, but that doesn't sound like a fun way to
>>>> spend my day.
>>> Take a look at:
>>>
>>> https://blog.cryptomilk.org/2012/11/08/understanding-winbind/
>> This is *really good* work ! Thanks. Looking forward to
>> more installments :-).
> While this is indeed good info, this confuses me:
>
> 'If Kerberos is involved the Winbind child handling LEVEL1 will
> authenticate the user talking to the KDC of the domain controller. All
> information will be stored in the PAC (Privilege Attribute
> Certificate) of the Kerberos ticket (which is similar to the info3
> structure in the LogonSamLogon response).'
>
> I thought that the PAC was in the ticket presented by the client,
> meaning that winbindd was not needed to do authentication because the
> smbd has all the info it needs.
>
> Is this wrong?
>
> On the other hand, winbindd is needed to generate UNIX account info
> for the use, I think.
>
> Can someone let me know where I have gone wrong?
>

I think this may be referring to PAM authentication where winbindd makes
the AS request. (Kinit for the user).

The PAC will be in the TGT, but validation will give you access to it.
Not sure if Winbindd really does it this way, if not it should :)

Simo.





More information about the samba-technical mailing list