Query on commit 1bc2f28b9420829645ed571daf2a17e6688b2103
Christof Schmitt
cs at samba.org
Tue Sep 27 22:39:37 UTC 2016
On Tue, Sep 27, 2016 at 03:20:08PM -0700, Jeremy Allison wrote:
> On Tue, Sep 27, 2016 at 03:12:04PM -0700, Christof Schmitt wrote:
> >
> > The whole discussion around this interface is in the thread at:
> > https://lists.samba.org/archive/samba-technical/2012-July/thread.html#85283
> >
> > The reason for handling the failed signature validation is mentioned
> > here:
> > https://lists.samba.org/archive/samba-technical/2012-July/085713.html
> >
> > The scenario here would be having winbindd running on a machine with the
> > keytab from the machine account, but also a different service like
> > Ganesha that is using a separate keytab. In this case e.g. Ganesha could
> > ask winbindd to decode the PAC and still get its contents, even though
> > winbindd does not trust the information since it was signed with a
> > different keytab.
>
> That's horrible :-(. Is this *actually* used anywhere ?
Which part are you referring to?
Ganesha uses the winbindd interface to decode the PAC:
https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/idmapper/idmapper.c#L717
If we choose to only allow the call when winbindd can verify the PAC
signature, that would be a matter of configuration for the external
service: Set 'kerberos method' in the config and create a keytab with
'net ads keytab create' for use by the external service. With this
approach, the PAC should always have a signature that can be verified by
winbindd.
Christof
More information about the samba-technical
mailing list