Query on commit 1bc2f28b9420829645ed571daf2a17e6688b2103
Jeremy Allison
jra at samba.org
Tue Sep 27 22:29:25 UTC 2016
On Tue, Sep 27, 2016 at 03:20:08PM -0700, Jeremy Allison wrote:
> On Tue, Sep 27, 2016 at 03:12:04PM -0700, Christof Schmitt wrote:
> >
> > The whole discussion around this interface is in the thread at:
> > https://lists.samba.org/archive/samba-technical/2012-July/thread.html#85283
> >
> > The reason for handling the failed signature validation is mentioned
> > here:
> > https://lists.samba.org/archive/samba-technical/2012-July/085713.html
> >
> > The scenario here would be having winbindd running on a machine with the
> > keytab from the machine account, but also a different service like
> > Ganesha that is using a separate keytab. In this case e.g. Ganesha could
> > ask winbindd to decode the PAC and still get its contents, even though
> > winbindd does not trust the information since it was signed with a
> > different keytab.
>
> That's horrible :-(. Is this *actually* used anywhere ?
Oh, I just went through the entire discussion (again :-).
OK, I'll leave it alone *IF* Ganesha is using it :-). The only
thing I want to add is to make smbd use this interface
and extend the cache priming to updating the name2sid
cache from the PAC info also (as there's no external
way to tell winbindd to modify entries in the name2sid
cache).
(Tested) patch to follow !
Thanks,
Jeremy.
More information about the samba-technical
mailing list