Winbind ignores the domain local groups when krb5auth is used

Markus Baier Markus_Baier at baier-network.de
Fri Mar 29 05:10:08 MDT 2013 

Technical infos:
smbd -V Version 3.6.12
winbindd -V -> Version 3.6.12
OS: gentoo with kernel 3.7.10-gentoo
Domain controller OS: Windows Server 2012
with domain and forest functional level: Windows Server 2008 R2


Hello,

my problem winbind ignores the domain local groups
when the users use the krb5auth authentication.


So wbinfo --user-groups=INTRANET+Test_User shows only the
gobal domain groups when the uses authenticates with:
wbinfo --krb5auth=INTRANET+Test_User%test1234

If wbinfo --pam-logon=INTRANET+Test_User%test1234
will be used for the authentication, then
wbinfo --user-groups=INTRANET+Test_User
displays all the local and the global groups.


Now I debugged for two days and found, that the function
lookup_usergroups_cached in winbindd_util.c collects
the sid_arry only from the struct netr_SamInfo3.
The function ignores the two structs struct res_group_dom_sid (dom_sid2)
and the struct res_groups (samr_RidWithAttributeArray) from the 
PAC_LOGON_INFO struct.

But these two structs store the res_group_dom_sid
and the res_groups array which contains the domain local groups,
when the krb5auth authentication is used:
wbinfo --krb5auth=INTRANET+Test_User%test1234

So in this case wbinfo --user-groups=INTRANET+Test_User
will only display the global groups stored
in the groups struct (samr_RidWithAttributeArray)
within the info3 (netr_SamInfo3) struct.
But ignores the res_group struct within the PAC_LOGON_INFO struct.


I am not sure but maybe a possible solution could be,
to store the complete PAC_LOGON_INFO struct for the user
within the netsamlogon_cache_store function from samlogon_cache.c
At the moment only the info3 part struct (netr_SamInfo3)
will be cached.
And also to restore the complete PAC_LOGON_INFO struct
from the cache within the function netsamlogon_cache_get
from samlogon_cache.c

Then maybe its possible to call from lookup_usergroups_cached 
(winbindd_util.c) a second function, to collect the complete set
of usergroups.
First sid_array_from_info3 for the domain global and then 
sid_array_from_res_groups for the domain local groups.

Or maybe a new function sid_array_from_logon_info, which collects
the sids for the global groups from the groups struct 
(samr_RidWithAttributeArray)
and sids for the local groups from the res_roups struct 
(samr_RidWithAttributeArray)
in one step.


Thanks Markus

More information about the samba-technical mailing list