[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff

On Mon, 8 May 2006 10:01:43 -0500
Nicolas Williams <Nicolas.Williams@sun.com> wrote:

> On Tue, May 09, 2006 at 12:49:38AM +1000, Andrew Bartlett wrote:
> > In an ideal world this would be great.  I'm a bit more worried about the
> > actual software construction required to make that go however.  
> > 
> > For the AD case it would seem from my point of view to involve the
> > GSSAPI libs talking to Samba an awful lot.  While there is a great need
> > (people do want Samba's authentication and authorisation
> > infrastructure), I'm worried that it might also just be very hard to
> > swallow...
> How?  Why?
> Anyways, what it does mean in terms of software construction is that
> "GSS mechanisms" is not really the only way to plug-in to the mechglue
> anymore.  Mechanisms might provide access to raw information -- raw
> PACs, raw authz-data, raw access to constrained delegated tix -- while
> other plug-ins provide the desired mappings (SIDs->UIDs/GIDs).
> I see absolutely no problem swallowing this.

As long as I have a clean interface to the raw PAC I don't think I
care about anything else. The reason is, and I suspect this is sort
of where Andrew is coming from, is that virtually all authorization
logic is performed using strictly SIDs. Names are for humans looking at
ACL editors. Meaning when performing an access check, the list of SIDs
in the PAC is directly compared to the list of SIDs in the ACL for the
object of interest. It would be REALLY slow to convert the SIDs to names
and compare those.