[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff



On Mon, 2006-05-08 at 09:43 -0500, Nicolas Williams wrote:
> On Mon, May 08, 2006 at 02:33:42AM -0400, Michael B Allen wrote:
> 
> > Excuse me for being dull but how exactly would one export the PAC from a
> > kerberos ticket negotiated via GSSAPI? I hope the plan isn't to somehow
> > interpret the PAC - it's NDR encoded and doesn't contain names of groups,
> > only SIDs.
> 
> *Both* options are feasible.
> 
> The API allows the mechanism to indicate whether a piece of authz data
> has been "authenticated," which in this case refers to whether the PAC
> (or AD-KDC-ISSUED) signature (or whatever) has been validated.
> 
> As to the contents...  Some applications may care about SIDs, even on
> non-Windows platforms, while others may care about corresponding POSIX
> IDs.  In neither case should the applications need to know the details
> of how such items are obtained -- whether they arrived in the ticket or
> were looked up with a delegated ticket delivered in the other, or using
> some form of constrained delegation, or looked up using host credentials
> if the DS will allow it, none of that should matter to the application.

In an ideal world this would be great.  I'm a bit more worried about the
actual software construction required to make that go however.  

For the AD case it would seem from my point of view to involve the
GSSAPI libs talking to Samba an awful lot.  While there is a great need
(people do want Samba's authentication and authorisation
infrastructure), I'm worried that it might also just be very hard to
swallow...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part