PACs (was: Re: Delegation and Moonshot)

Luke Howard lukeh at
Mon Apr 4 10:52:05 EDT 2011

On 04/04/2011, at 3:34 PM, Nico Williams wrote:

> On Mon, Apr 4, 2011 at 12:16 AM, Luke Howard <lukeh at> wrote:
>> If you want to pick apart the PAC, I would do it with the MIT libkrb5 plugin interface. See the code that already does that to some extent. If you want to process the picked apart PAC with policy to map it to UIDs, then either this interface or Shibboleth might be candidates.
> The latter (I want the SIDs, the SIDs mapped to UIDs/GIDs, the homedir
> UNC mapped to whatever, ...).

If you wish to give the administrator knobs to configure the mapping, Shibboleth is a lot more flexible. But consider that you would probably still need a libkrb5 authdata plugin to decode the PAC buffers and surface them as individual GSS attributes. (Maybe this could be done as a Shibboleth plugin instead, I don't understand its architecture well enough to say. But I'm pretty certain it doesn't have a built-in NDR un-marshalling engine!

Your putative libkrb5 plugin could re-entrantly call krb5_authdata_get_attribute("urn:mspac:logon-info") and then it's a simple matter of NDR decoding that, converting the SIDs to strings, etc. I should really write this someday... but isn't the PAC a little circa 2001? :-)

-- Luke

More information about the krbdev mailing list