[PATCH] Adds support for Resource SID Compression a new Windows Server 2012 KDC feature - 3rd Version

Markus Baier Markus_Baier at baier-network.de
Tue Apr 2 17:28:03 MDT 2013

Am 02.04.2013 22:28, schrieb Andrew Bartlett:
> I'm entirely uncomfortable with the idea of having a filter
> which 'fixes' this structure.

I am too :-)
The patch is more like an integrated compatibility mode.
It prevents the users from changing the DisableResourceGroupsFields
register value, if the would use samba together with a Windows Server
2012 KDC

> Instead, we need to be
> patching the code where we extract SIDs from the structure.
> What I'm saying is that we need to consolidate the duplicate code in
> these routines, and then to fix this exactly once.

Yes, that would be the right solution.
The problem is, all the functions in samba like sid_array_from_info3
or create_local_nt_token_from_info3, work with the info3 structure.
But the important data fields (used for resource sid compression)
are not a part of the info3 structure.
The fields are, like info3 itself, a part of the info structure:
        struct netr_SamInfo3 info3;
        struct dom_sid2 *res_group_dom_sid;/* [unique] */
        struct samr_RidWithAttributeArray res_groups;

And thats the problem, after the info3 part was extracted out of
the info structure (PAC_LOGON_INFO) the information will be lost.
All the functions like create_local_nt_token_from_info3
or sid_array_from_info3 only get and work with the info3 structure
itself and so they can't access the dom_sid2 and
samr_RidWithAttributeArray fields.

So, one solution could be to work with the info structure
PAC_LOGON_INFO instead of the info3 structure netr_SamInfo3
But I think this will be a mess.
Dozens of functions had to be changed and rewritten
starting from winbindd_dual_pam_auth down into the code
structure and that are a lot of functions which uses
the info3 structure.

Another, maybe the better solution? could be, to move
the two structs dom_sid2 and samr_RidWithAttributeArray
from PAC_LOGON_INFO into netr_SamInfo3
Then the functions like sid_array_from_info3 will be
able to access the two fields.
I think this could affect a fewer number of functions
which had to be rewritten.

But would it be worth all the work? I am not sure.
What would be the benefit we get from res_group_dom_sid
and res_groups and the knowledge that the information
comes from this two structs and was not integratet
into the groups and rids fields before a function
like sid_array_from_info3 get the data.

For all these functions, the additional information
they get from dom_sid2 and samr_RidWithAttributeArray
will be useless and until now, they are ignored by
samba at all.

Thanks and regards
Markus Baier

More information about the samba-technical mailing list