SIDs in kerberos PAC
tridge at samba.org
tridge at samba.org
Fri Sep 24 11:22:12 MDT 2010
Hi Andrew,
Metze and I started looking at the remaining replication problems for
the AD plugfest, and we found one that we're hoping you can help with.
We frequently get ACCESS_DENIED when doing a UpdateRefs or REF_ADD
getncchanges against a w2k8 DC. Sometimes it works and sometimes it
doesn't. Metze realised that it depended on which DC generated the
kerberos ticket we are using and we confirmed this by forcing the kdc
in krb5.conf.
The problem is that when s4 generates the ticket, we get the following
SIDs:
tokenGroups: S-1-1-0
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-2
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-2070
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-516
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-32-554
but when w2k8r2 generates the ticket, we get the following:
tokenGroups: S-1-1-0
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-2
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-2070
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-516
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-32-554
tokenGroups: S-1-5-32-560 : CN=Windows Authorization Access Group,CN=Builtin
tokenGroups: S-1-5-9 : Enterprise DCs
(I've labelled the extra 2).
The last one is the one that particularly matters, as there is this
ACE in the securityDescriptor on the NC heads:
aces: struct security_ace
type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0028 (40)
access_mask : 0x00000100 (256)
object : union security_ace_object_ctr(case 5)
object: struct security_ace_object
flags : 0x00000001 (1)
1: SEC_ACE_OBJECT_TYPE_PRESENT
0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
type : union security_ace_object_type(case 1)
type : 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2
inherited_type : union security_ace_object_inherited_type(case 0)
trustee : S-1-5-9
the guid 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 is for the
DS-Replication-Manage-Topology right, and we need that right in order
to ask the other DC to add us to repsTo.
Any chance you can fix the kerberos token generation to add S-1-5-9
for writable DCs?
Cheers, Tridge
More information about the samba-technical
mailing list