Reliably looking up user's group membership SIDs
Isaac Boukris
iboukris at gmail.com
Sun Mar 4 20:21:38 UTC 2018
On Fri, Mar 2, 2018 at 7:55 AM, Isaac Boukris <iboukris at gmail.com> wrote:
> Suggestion:
>
> However I was thinking maybe wbclient library could wrap this up for
> the user, to make it easier to use with no need to get hands dirty
> with machine creds etc (especially as net api isn't a library call).
> Then in turn, wbinfo could use this functionality to display user's SIDs.
>
> Here is how I suggest the API could look like (wip):
> https://github.com/frenche/samba/commit/7dbae128461cb190dac2d10e0c5bd1ee9e992976
I think a TLDR version is: would it make sense for
wbcAuthenticateUserEx() (or wbclient api) to provide a new
'impersonate' level similar to WBC_AUTH_USER_LEVEL_PAC but only
requiring the username instead of a PAC, while the winbindd backend
will get the PAC via impersonation using machine account?
This could allow wbinfo client (as root) and other services to get
user's info and relevant membership SIDs (or are there better
alternatives?).
Thanks!
More information about the samba-technical
mailing list