[PATCH] Winbind ignores the domain local groups when krb5auth is used

Markus Baier Markus_Baier at baier-network.de
Sat Mar 30 18:19:42 MDT 2013 

I could solve my problem with the missing local Groups
when Winbind use the Kerberos Authentication.

I have written a small patch to check within the
winbindd_raw_kerberos_login function in winbindd_pam.c
if the NETLOGON_RESOURCE_GROUPS Flag is set
in info3->base.user_flags, after I get the logon_info
back from the kerberos_return_pac function.

If the flag is set, then I perform a second test to
check that the info3->base.domain_sid and the
logon_info->res_group_dom_sid are equal, to make
sure that the resource domain did not differ from
the logon domain.

If this is ok, then I expand the info3->base.groups.rids
array and copy the rids for the local groups from
logon_info->res_groups.rids into the expanded array info3->base.groups.rids

This solution works for me, but I think it will fail
if the Server with the resources the client is
authenticating to is not in the same domain as the
Kerberos KDC that perform the authentication server
ticket request.
In this case the logon domain and the resource domain
should be diffrent and it is not possible to integrate
the rids from res_groups.rids in the
info3->base.groups.rids array.


Best Regards
Markus Baier


- - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff -u -r -N a/source3/winbindd/winbindd_pam.c
b/source3/winbindd/winbindd_pam.c
--- a/source3/winbindd/winbindd_pam.c	2013-03-30 21:24:03.342709560 +0100
+++ b/source3/winbindd/winbindd_pam.c	2013-03-30 23:11:52.862818444 +0100
@@ -626,6 +626,30 @@

 	*info3 = &logon_info->info3;

+	if ((*info3)->base.user_flags & NETLOGON_RESOURCE_GROUPS) { //Check if
the H Flag in the user_flags mask is set
+		if (dom_sid_equal((*info3)->base.domain_sid,
logon_info->res_group_dom_sid)) { //Check if the ResourceGroupDomain sid
is the same as the LogonDomainID sid
+			uint32_t i;
+			uint32_t groups_count_total;
+			struct samr_RidWithAttribute *new_rids;
+
+			groups_count_total = (*info3)->base.groups.count +
logon_info->res_groups.count; //Calculate the new total numbers of rids
in the array
+			new_rids = talloc_realloc(mem_ctx,(*info3)->base.groups.rids,struct
samr_RidWithAttribute, groups_count_total); //Expand the array
+			if (new_rids == NULL) {
+				DEBUG(10, ("talloc_realloc: Faild to expand array for new rids\n"));
+				DEBUGADD(10, ("Copy the rid from ResourceGroupIds to GroupIds not
possible\n"));
+				talloc_free(new_rids);
+			} else {
+
+				/* Start to copy the ResourceGroupIds into the GroupIds array */
+				for (i=0; i < logon_info->res_groups.count; i++) {
+					new_rids[(*info3)->base.groups.count + i].rid =
logon_info->res_groups.rids[i].rid; //Copy the rid from ResourceGroupIds
to GroupIds
+					new_rids[(*info3)->base.groups.count + i].attributes =
logon_info->res_groups.rids[i].attributes; //Copy the attributes from
ResourceGroupIds to GroupIds
+				}
+				(*info3)->base.groups.count = groups_count_total; //Update the
GroupCount field with the new number of groups
+				}
+			}
+	}
+
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of
%s\n",
 		principal_s));

More information about the samba-technical mailing list