[Samba] Obtaining Login Session for Verification

ralph strebbing blackbirdralph at gmail.com
Fri May 20 15:10:50 UTC 2022

On Thu, May 19, 2022 at 5:44 PM Jeremy Allison <jra at samba.org> wrote:
> Can you explain what "the agent" does to authenticate ?
The agent is what we're building. Right now it is just pulling the
current username, what we want is to somehow (if possible), obtain the
ticket (may not be the correct term) of the currently logged in user,
and pass that off to Samba for verification. That's all I'm asking
for, or if it's possible.
> I think we need more info on how the Palo Alto firewall
> does authentication.
The Palo has tons of ways to authenticate, but in this case the Palo
isn't doing anything, WE are doing the legwork with a custom developed
solution and just telling the palo via it's API, "DOMAIN\User is
mapped to IP". That's it on the Palo end. Our intermediate server, the
thing the Agent talks to, and what sends the above commands to the
Palo API is just ingesting the info sent from the agent, THAT is the
part we are trying to secure, Rather than sending the username, it
would be nice to send the login ticket from the agent to the
intermediate server, then (if possible), send a request to Samba to
verify whether the ticket sent was valid or not, and what domain user
it belonged to. If valid, send mapping commands, if not, do nothing.

Hope that helps.

More information about the samba mailing list