[Samba] Obtaining Login Session for Verification

[Jeremy Allison]

On Fri, May 20, 2022 at 11:10:50AM -0400, ralph strebbing wrote:
>On Thu, May 19, 2022 at 5:44 PM Jeremy Allison <jra at samba.org> wrote:
>> Can you explain what "the agent" does to authenticate ?
>The agent is what we're building. Right now it is just pulling the
>current username, what we want is to somehow (if possible), obtain the
>ticket (may not be the correct term) of the currently logged in user,
>and pass that off to Samba for verification. That's all I'm asking
>for, or if it's possible.

This is on a Windows client, yes ? Normally this happens under
the covers via the Windows auth subsystem (getting the service
ticket from the KDC/AD and then passing to the Samba server).

>> I think we need more info on how the Palo Alto firewall
>> does authentication.
>The Palo has tons of ways to authenticate, but in this case the Palo
>isn't doing anything, WE are doing the legwork with a custom developed
>solution and just telling the palo via it's API, "DOMAIN\User is
>mapped to IP". That's it on the Palo end. Our intermediate server, the
>thing the Agent talks to, and what sends the above commands to the
>Palo API is just ingesting the info sent from the agent, THAT is the
>part we are trying to secure, Rather than sending the username, it
>would be nice to send the login ticket from the agent to the
>intermediate server, then (if possible), send a request to Samba to

That sounds like a forwardable ticket ? I don't think you want
to send the TGT.

>verify whether the ticket sent was valid or not, and what domain user
>it belonged to. If valid, send mapping commands, if not, do nothing.

I'm still unclear as to what types of krb5 tickets you're trying
to do what with :-). Might make it clearer if you describe in
terms of krb5 tickets only.