PACs (was: Re: Delegation and Moonshot)

Simo Sorce ssorce at
Tue Apr 5 08:39:21 EDT 2011

On Tue, 5 Apr 2011 00:52:05 +1000
Luke Howard <lukeh at> wrote:

> On 04/04/2011, at 3:34 PM, Nico Williams wrote:
> > On Mon, Apr 4, 2011 at 12:16 AM, Luke Howard <lukeh at> wrote:
> >> If you want to pick apart the PAC, I would do it with the MIT
> >> libkrb5 plugin interface. See the code that already does that to
> >> some extent. If you want to process the picked apart PAC with
> >> policy to map it to UIDs, then either this interface or Shibboleth
> >> might be candidates.
> > 
> > The latter (I want the SIDs, the SIDs mapped to UIDs/GIDs, the
> > homedir UNC mapped to whatever, ...).
> If you wish to give the administrator knobs to configure the mapping,
> Shibboleth is a lot more flexible. But consider that you would
> probably still need a libkrb5 authdata plugin to decode the PAC
> buffers and surface them as individual GSS attributes. (Maybe this
> could be done as a Shibboleth plugin instead, I don't understand its
> architecture well enough to say. But I'm pretty certain it doesn't
> have a built-in NDR un-marshalling engine!
> Your putative libkrb5 plugin could re-entrantly call
> krb5_authdata_get_attribute("urn:mspac:logon-info") and then it's a
> simple matter of NDR decoding that, converting the SIDs to strings,
> etc. I should really write this someday... but isn't the PAC a little
> circa 2001? :-)

If you are ok with GPLv3 code and depending on a yet unstable library
we have code in the forthcoming samba 4 release to allow easy
(un)packing of NDR data :)


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list