Linux-CIFS Archive on lore.kernel.org
 help / color / Atom feed
* Getting the SID of the user out of the PAC ...
@ 2019-09-27  6:39 Steve French
  2019-09-27  6:43 ` Stefan Metzmacher
  2019-09-27  8:05 ` ronnie sahlberg
  0 siblings, 2 replies; 5+ messages in thread
From: Steve French @ 2019-09-27  6:39 UTC (permalink / raw)
  To: ronnie sahlberg, Pavel Shilovsky, Aurélien Aptel,
	samba-technical, CIFS

Is there a way to get the SID of the user out of the MS-PAC through
Samba utils (or winbind)?

This would help cifs if when we upcall as we do today to get the
kerberos ticket, we were also given the user's SID not just the ticket
to use to send to the server during session setup.



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Getting the SID of the user out of the PAC ...
  2019-09-27  6:39 Getting the SID of the user out of the PAC Steve French
@ 2019-09-27  6:43 ` Stefan Metzmacher
  2019-09-27  6:50   ` Steve French
  2019-09-27  8:05 ` ronnie sahlberg
  1 sibling, 1 reply; 5+ messages in thread
From: Stefan Metzmacher @ 2019-09-27  6:43 UTC (permalink / raw)
  To: Steve French, ronnie sahlberg, Pavel Shilovsky,
	Aurélien Aptel, samba-technical, CIFS

[-- Attachment #1.1: Type: text/plain, Size: 503 bytes --]

Am 27.09.19 um 08:39 schrieb Steve French via samba-technical:
> Is there a way to get the SID of the user out of the MS-PAC through
> Samba utils (or winbind)?
> 
> This would help cifs if when we upcall as we do today to get the
> kerberos ticket, we were also given the user's SID not just the ticket
> to use to send to the server during session setup.

Only if you get a service ticket for the joined client machine.

But I don't understand what a possible use case would be.

metze


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Getting the SID of the user out of the PAC ...
  2019-09-27  6:43 ` Stefan Metzmacher
@ 2019-09-27  6:50   ` Steve French
  2019-09-27  6:58     ` Stefan Metzmacher
  0 siblings, 1 reply; 5+ messages in thread
From: Steve French @ 2019-09-27  6:50 UTC (permalink / raw)
  To: Stefan Metzmacher
  Cc: ronnie sahlberg, Pavel Shilovsky, Aurélien Aptel,
	samba-technical, CIFS

On Fri, Sep 27, 2019 at 1:44 AM Stefan Metzmacher <metze@samba.org> wrote:
>
> Am 27.09.19 um 08:39 schrieb Steve French via samba-technical:
> > Is there a way to get the SID of the user out of the MS-PAC through
> > Samba utils (or winbind)?
> >
> > This would help cifs if when we upcall as we do today to get the
> > kerberos ticket, we were also given the user's SID not just the ticket
> > to use to send to the server during session setup.
>
> Only if you get a service ticket for the joined client machine.
>
> But I don't understand what a possible use case would be.

When not mounting with "idsfromsid" this would allow us to use the
correct owner SID when creating ACLs (to include the owner and mode)
on mkdir and filecreate (the acl can be sent in the sd_context during
create)

-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Getting the SID of the user out of the PAC ...
  2019-09-27  6:50   ` Steve French
@ 2019-09-27  6:58     ` Stefan Metzmacher
  0 siblings, 0 replies; 5+ messages in thread
From: Stefan Metzmacher @ 2019-09-27  6:58 UTC (permalink / raw)
  To: Steve French
  Cc: ronnie sahlberg, Pavel Shilovsky, Aurélien Aptel,
	samba-technical, CIFS

[-- Attachment #1.1: Type: text/plain, Size: 954 bytes --]

Am 27.09.19 um 08:50 schrieb Steve French:
> On Fri, Sep 27, 2019 at 1:44 AM Stefan Metzmacher <metze@samba.org> wrote:
>>
>> Am 27.09.19 um 08:39 schrieb Steve French via samba-technical:
>>> Is there a way to get the SID of the user out of the MS-PAC through
>>> Samba utils (or winbind)?
>>>
>>> This would help cifs if when we upcall as we do today to get the
>>> kerberos ticket, we were also given the user's SID not just the ticket
>>> to use to send to the server during session setup.
>>
>> Only if you get a service ticket for the joined client machine.
>>
>> But I don't understand what a possible use case would be.
> 
> When not mounting with "idsfromsid" this would allow us to use the
> correct owner SID when creating ACLs (to include the owner and mode)
> on mkdir and filecreate (the acl can be sent in the sd_context during
> create)

Maybe CREATOR_GROUP and CREATOR_OWNER are of some use for that...

metze



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Getting the SID of the user out of the PAC ...
  2019-09-27  6:39 Getting the SID of the user out of the PAC Steve French
  2019-09-27  6:43 ` Stefan Metzmacher
@ 2019-09-27  8:05 ` ronnie sahlberg
  1 sibling, 0 replies; 5+ messages in thread
From: ronnie sahlberg @ 2019-09-27  8:05 UTC (permalink / raw)
  To: Steve French; +Cc: Pavel Shilovsky, Aurélien Aptel, samba-technical, CIFS

Please don't.

You can't get the sid from NTLMSSP

On Thu, Sep 26, 2019 at 11:39 PM Steve French <smfrench@gmail.com> wrote:
>
> Is there a way to get the SID of the user out of the MS-PAC through
> Samba utils (or winbind)?
>
> This would help cifs if when we upcall as we do today to get the
> kerberos ticket, we were also given the user's SID not just the ticket
> to use to send to the server during session setup.
>
>
>
> --
> Thanks,
>
> Steve

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-27  6:39 Getting the SID of the user out of the PAC Steve French
2019-09-27  6:43 ` Stefan Metzmacher
2019-09-27  6:50   ` Steve French
2019-09-27  6:58     ` Stefan Metzmacher
2019-09-27  8:05 ` ronnie sahlberg

Linux-CIFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-cifs/0 linux-cifs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-cifs linux-cifs/ https://lore.kernel.org/linux-cifs \
		linux-cifs@vger.kernel.org linux-cifs@archiver.kernel.org
	public-inbox-index linux-cifs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-cifs


AGPL code for this site: git clone https://public-inbox.org/ public-inbox