Query on commit 1bc2f28b9420829645ed571daf2a17e6688b2103

Tue Sep 27 22:44:13 UTC 2016

On Tue, Sep 27, 2016 at 03:39:37PM -0700, Christof Schmitt wrote:
> On Tue, Sep 27, 2016 at 03:20:08PM -0700, Jeremy Allison wrote:
> > On Tue, Sep 27, 2016 at 03:12:04PM -0700, Christof Schmitt wrote:
> > > 
> > > The whole discussion around this interface is in the thread at:
> > > https://lists.samba.org/archive/samba-technical/2012-July/thread.html#85283
> > > 
> > > The reason for handling the failed signature validation is mentioned
> > > here:
> > > https://lists.samba.org/archive/samba-technical/2012-July/085713.html
> > > 
> > > The scenario here would be having winbindd running on a machine with the
> > > keytab from the machine account, but also a different service like
> > > Ganesha that is using a separate keytab. In this case e.g. Ganesha could
> > > ask winbindd to decode the PAC and still get its contents, even though
> > > winbindd does not trust the information since it was signed with a
> > > different keytab.
> > 
> > That's horrible :-(. Is this *actually* used anywhere ?
> 
> Which part are you referring to?
> 
> Ganesha uses the winbindd interface to decode the PAC:
> https://github.com/nfs-ganesha/nfs-ganesha/blob/next/src/idmapper/idmapper.c#L717

Yep, Ganesha uses it so I can't mess with it :-). Thanks for
verifying that.

> If we choose to only allow the call when winbindd can verify the PAC
> signature, that would be a matter of configuration for the external
> service: Set 'kerberos method' in the config and create a keytab with
> 'net ads keytab create' for use by the external service. With this
> approach, the PAC should always have a signature that can be verified by
> winbindd.

I think that would be safer, but it's a patch for another day.

Right now I'm planning to add name2sid cache priming to the
WBC_AUTH_USER_LEVEL_PAC code path when pac signature verification
works, and ignore the failure codepath (maybe clean it up later :-).

Cheers,

Jeremy.