[16753] in Kerberos_V5_Development
Re: PACs (was: Re: Delegation and Moonshot)
daemon@ATHENA.MIT.EDU (Simo Sorce)
Tue Apr 5 08:39:31 2011
Date: Tue, 5 Apr 2011 08:39:21 -0400
From: Simo Sorce <ssorce@redhat.com>
To: Luke Howard <lukeh@padl.com>
Message-ID: <20110405083921.4366e310@willson.li.ssimo.org>
In-Reply-To: <E780C061-C0BB-48F4-8110-63202CA60CF1@padl.com>
Mime-Version: 1.0
Cc: "Scott E. Cantor" <cantor.2@osu.edu>,
Nico Williams <nico@cryptonector.com>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, 5 Apr 2011 00:52:05 +1000
Luke Howard <lukeh@padl.com> wrote:
> On 04/04/2011, at 3:34 PM, Nico Williams wrote:
>
> > On Mon, Apr 4, 2011 at 12:16 AM, Luke Howard <lukeh@padl.com> wrote:
> >> If you want to pick apart the PAC, I would do it with the MIT
> >> libkrb5 plugin interface. See the code that already does that to
> >> some extent. If you want to process the picked apart PAC with
> >> policy to map it to UIDs, then either this interface or Shibboleth
> >> might be candidates.
> >
> > The latter (I want the SIDs, the SIDs mapped to UIDs/GIDs, the
> > homedir UNC mapped to whatever, ...).
>
>
> If you wish to give the administrator knobs to configure the mapping,
> Shibboleth is a lot more flexible. But consider that you would
> probably still need a libkrb5 authdata plugin to decode the PAC
> buffers and surface them as individual GSS attributes. (Maybe this
> could be done as a Shibboleth plugin instead, I don't understand its
> architecture well enough to say. But I'm pretty certain it doesn't
> have a built-in NDR un-marshalling engine!
>
> Your putative libkrb5 plugin could re-entrantly call
> krb5_authdata_get_attribute("urn:mspac:logon-info") and then it's a
> simple matter of NDR decoding that, converting the SIDs to strings,
> etc. I should really write this someday... but isn't the PAC a little
> circa 2001? :-)
If you are ok with GPLv3 code and depending on a yet unstable library
we have code in the forthcoming samba 4 release to allow easy
(un)packing of NDR data :)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
