[PATCH] winbind interface to extract SIDs from PAC

simo idra at samba.org
Thu Jul 5 16:15:10 MDT 2012 

On Thu, 2012-07-05 at 13:58 -0700, Christof Schmitt wrote: 
> christof.schmitt at us.ibm.com wrote on 07/03/2012 05:03:29 PM:
> 
> > If the group expansion is too tricky, then i can leave that out
> > for now.
> > 
> > The API provides kerberos_decode_pac, and then the application
> > has to find PAC_TYPE_LOGON_INFO, pull all the data and call
> > winbind to translate the SIDS to uid/gids.  Would that be a good
> > approach to get the mapped ids from the PAC?
> > 
> > With the winbind patch, kerberos_logon_info_from_pac and
> > sid_array_from_info3 would already get the SIDs. But maybe it is
> > not too bad to do something similar in the application. I will
> > look into this approach.
> 
> It seems that the extraction of SIDs from a PAC is doable with
> the libraries.  I can get the SIDs by calling these functions:
> - kerberos_pac_logon_info
> - make_user_info_dc_pac

In the freeipa code we use only ndr_pull_/push_union_blob with the
ndr_pull_/push_PAC_INFO functions to pull/push the pac info from/to a
blob of data.

What you get back is a union PAC_INFO strcuture that contains all the
data you need.

You can see the code here:
http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=daemons/ipa-kdb/ipa_kdb_mspac.c;h=f640b545a636a2c58e3eb31951de142e5b0ffbe2;hb=master#l887

I guess we could make a couple of function to shield a bit the pull/push
stuff, but we linked to the ndr stuff directly as it keeps dependencies
to a bar minimum.
As you can see we also created our own sid manipulation function to keep
dependencies low, but that is not necesssary.

> The SIDs from user_info->sids can be translated to uid/gids with
> wbcSidsToUnixIds. Is this an acceptable use of Samba libraries by
> an external application? My biggest fear is that those functions
> are considered internal to Samba and external applications would
> break when they are changed.

The ndr functions are probably a better bet, but I think we can also
create a minimal wrapper library to get a user_info struct out of a PAC
and declare it stable in our API if you think using the ndr stuff is too
bothersome. 

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list