PACs (was: Re: Delegation and Moonshot)
Luke Howard
lukeh at padl.com
Mon Apr 4 10:52:05 EDT 2011
On 04/04/2011, at 3:34 PM, Nico Williams wrote:
> On Mon, Apr 4, 2011 at 12:16 AM, Luke Howard <lukeh at padl.com> wrote:
>> If you want to pick apart the PAC, I would do it with the MIT libkrb5 plugin interface. See the code that already does that to some extent. If you want to process the picked apart PAC with policy to map it to UIDs, then either this interface or Shibboleth might be candidates.
>
> The latter (I want the SIDs, the SIDs mapped to UIDs/GIDs, the homedir
> UNC mapped to whatever, ...).
If you wish to give the administrator knobs to configure the mapping, Shibboleth is a lot more flexible. But consider that you would probably still need a libkrb5 authdata plugin to decode the PAC buffers and surface them as individual GSS attributes. (Maybe this could be done as a Shibboleth plugin instead, I don't understand its architecture well enough to say. But I'm pretty certain it doesn't have a built-in NDR un-marshalling engine!
Your putative libkrb5 plugin could re-entrantly call krb5_authdata_get_attribute("urn:mspac:logon-info") and then it's a simple matter of NDR decoding that, converting the SIDs to strings, etc. I should really write this someday... but isn't the PAC a little circa 2001? :-)
-- Luke
More information about the krbdev
mailing list