Bug 9347 - winbind: Extend wbcAuthenticateUserEx to provide PAC
winbind: Extend wbcAuthenticateUserEx to provide PAC
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: Winbind
4.0.0rc4
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-02 10:23 UTC by Stefan Metzmacher
Modified: 2012-11-06 10:04 UTC (History)
1 user (show)

See Also:


Attachments
Patches for v4-0-test (25.89 KB, patch)
2012-11-02 10:23 UTC, Stefan Metzmacher
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2012-11-02 10:23:11 UTC
Created attachment 8138 [details]
Patches for v4-0-test

winbind: Extend wbcAuthenticateUserEx to provide PAC

With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.

The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.
Comment 1 Andrew Bartlett 2012-11-02 11:55:50 UTC
Comment on attachment 8138 [details]
Patches for v4-0-test

I'm glad this is able to make it into 4.0
Comment 2 Karolin Seeger 2012-11-05 10:30:11 UTC
Pushed to autobuild-v4-0-test.
Comment 3 Karolin Seeger 2012-11-06 10:04:59 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!