On Mon, 2006-05-08 at 09:43 -0500, Nicolas Williams wrote: > On Mon, May 08, 2006 at 02:33:42AM -0400, Michael B Allen wrote: > > > Excuse me for being dull but how exactly would one export the PAC from a > > kerberos ticket negotiated via GSSAPI? I hope the plan isn't to somehow > > interpret the PAC - it's NDR encoded and doesn't contain names of groups, > > only SIDs. > > *Both* options are feasible. > > The API allows the mechanism to indicate whether a piece of authz data > has been "authenticated," which in this case refers to whether the PAC > (or AD-KDC-ISSUED) signature (or whatever) has been validated. > > As to the contents... Some applications may care about SIDs, even on > non-Windows platforms, while others may care about corresponding POSIX > IDs. In neither case should the applications need to know the details > of how such items are obtained -- whether they arrived in the ticket or > were looked up with a delegated ticket delivered in the other, or using > some form of constrained delegation, or looked up using host credentials > if the DS will allow it, none of that should matter to the application. In an ideal world this would be great. I'm a bit more worried about the actual software construction required to make that go however. For the AD case it would seem from my point of view to involve the GSSAPI libs talking to Samba an awful lot. While there is a great need (people do want Samba's authentication and authorisation infrastructure), I'm worried that it might also just be very hard to swallow... Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part