SIDs in kerberos PAC

Andrew Bartlett abartlet at samba.org
Fri Sep 24 15:13:03 MDT 2010 

On Fri, 2010-09-24 at 10:22 -0700, tridge at samba.org wrote:
> Hi Andrew,
> 
> Metze and I started looking at the remaining replication problems for
> the AD plugfest, and we found one that we're hoping you can help with.
> 
> We frequently get ACCESS_DENIED when doing a UpdateRefs or REF_ADD
> getncchanges against a w2k8 DC. Sometimes it works and sometimes it
> doesn't. Metze realised that it depended on which DC generated the
> kerberos ticket we are using and we confirmed this by forcing the kdc
> in krb5.conf.
> 
> The problem is that when s4 generates the ticket, we get the following
> SIDs:
> 
> tokenGroups: S-1-1-0
> tokenGroups: S-1-5-11
> tokenGroups: S-1-5-15
> tokenGroups: S-1-5-2
> tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-2070
> tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-516
> tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
> tokenGroups: S-1-5-32-545
> tokenGroups: S-1-5-32-554
> 
> but when w2k8r2 generates the ticket, we get the following:
> 
> tokenGroups: S-1-1-0
> tokenGroups: S-1-5-11
> tokenGroups: S-1-5-15
> tokenGroups: S-1-5-2
> tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-2070
> tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-516
> tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
> tokenGroups: S-1-5-32-545
> tokenGroups: S-1-5-32-554
> tokenGroups: S-1-5-32-560 : CN=Windows Authorization Access Group,CN=Builtin
> tokenGroups: S-1-5-9      : Enterprise DCs

> Any chance you can fix the kerberos token generation to add S-1-5-9
> for writable DCs?

Generation of extra local groups is handled in
dsdb/samdb/samdb.c:security_token_create() which is based in turn on
flags set by auth/session.c:auth_generate_session_info()

We need to understand why the AUTH_SESSION_INFO_ENTERPRISE_DC isn't
being passed down here. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100925/91dbc176/attachment.pgp>

More information about the samba-technical mailing list