Bug 9347 - winbind: Extend wbcAuthenticateUserEx to provide PAC
Summary: winbind: Extend wbcAuthenticateUserEx to provide PAC
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2012-11-02 10:23 UTC by Stefan Metzmacher
Modified: 2012-11-06 10:04 UTC (History)
1 user (show)

See Also:

Patches for v4-0-test (25.89 KB, patch)
2012-11-02 10:23 UTC, Stefan Metzmacher
abartlet: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2012-11-02 10:23:11 UTC
Created attachment 8138 [details]
Patches for v4-0-test

winbind: Extend wbcAuthenticateUserEx to provide PAC

With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.

The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.
Comment 1 Andrew Bartlett 2012-11-02 11:55:50 UTC
Comment on attachment 8138 [details]
Patches for v4-0-test

I'm glad this is able to make it into 4.0
Comment 2 Karolin Seeger 2012-11-05 10:30:11 UTC
Pushed to autobuild-v4-0-test.
Comment 3 Karolin Seeger 2012-11-06 10:04:59 UTC
Pushed to v4-0-test.
Closing out bug report.