SIDs in kerberos PAC

tridge at samba.org tridge at samba.org
Fri Sep 24 11:22:12 MDT 2010


Hi Andrew,

Metze and I started looking at the remaining replication problems for
the AD plugfest, and we found one that we're hoping you can help with.

We frequently get ACCESS_DENIED when doing a UpdateRefs or REF_ADD
getncchanges against a w2k8 DC. Sometimes it works and sometimes it
doesn't. Metze realised that it depended on which DC generated the
kerberos ticket we are using and we confirmed this by forcing the kdc
in krb5.conf.

The problem is that when s4 generates the ticket, we get the following
SIDs:

tokenGroups: S-1-1-0
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-2
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-2070
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-516
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-32-554

but when w2k8r2 generates the ticket, we get the following:

tokenGroups: S-1-1-0
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-2
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-2070
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-516
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-32-554
tokenGroups: S-1-5-32-560 : CN=Windows Authorization Access Group,CN=Builtin
tokenGroups: S-1-5-9      : Enterprise DCs

(I've labelled the extra 2).

The last one is the one that particularly matters, as there is this
ACE in the securityDescriptor on the NC heads:

                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0028 (40)
                        access_mask              : 0x00000100 (256)
                        object                   : union security_ace_object_ctr(case 5)
                        object: struct security_ace_object
                            flags                    : 0x00000001 (1)
                                   1: SEC_ACE_OBJECT_TYPE_PRESENT
                                   0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                            type                     : union security_ace_object_type(case 1)
                            type                     : 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
                            inherited_type           : union security_ace_object_inherited_type(case 0)
                        trustee                  : S-1-5-9

the guid 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 is for the
DS-Replication-Manage-Topology right, and we need that right in order
to ask the other DC to add us to repsTo.

Any chance you can fix the kerberos token generation to add S-1-5-9
for writable DCs?

Cheers, Tridge


More information about the samba-technical mailing list