Regarding retrieving user group membership using wbinfo.

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jun 5 08:59:00 MDT 2014 

Hi!

There's a rpcclient command, but that's a bit tricky to use.
wbinfo -a is the one to try first I guess :-)

Volker

On Thu, Jun 05, 2014 at 08:21:31PM +0530, Hemanth Thummala wrote:
> Also I would like to now if there is any "net" command that can be used to
> request the same information mentioned as part of this specific DCE-RPC
> call.
> 
> Thanks,
> Hemanth.
> 
> 
> On Thu, Jun 5, 2014 at 7:56 PM, Hemanth Thummala <hemanth.thummala at gmail.com
> > wrote:
> 
> > Yes Volker. You are correct. netsamlogon_cache is getting updated on
> > successful user login. And from the code I could see that a DCE-RPC call is
> > made to get the group membership list and update netsamlogon_cache.tdb file.
> >
> > When I remove the cache entries related to this specific user(SID),
> > listing is proper. Based on this I suspect that netsamlogon_cache is
> > updated with incorrect data using the DCE-RPC response. I could not get
> > what exactly the request and response contains as they are encrypted. But
> > from code, it is rpccli_netlogon_sam_network_logon_ex() routine which is
> > responsible for retrieving the info3 structure which includes the group
> > membership information.
> >
> > And yes I forgot to mention that it is Samba 3.6.12+ stack that we are
> > using here. Thanks for that Richard.
> >
> > Thanks,
> > Hemanth.
> >
> >
> >
> >
> > On Thu, Jun 5, 2014 at 7:44 PM, Volker Lendecke <Volker.Lendecke at sernet.de
> > > wrote:
> >
> >> On Thu, Jun 05, 2014 at 06:43:59AM -0700, Richard Sharpe wrote:
> >> > On Thu, Jun 5, 2014 at 3:41 AM, Hemanth Thummala
> >> > <hemanth.thummala at gmail.com> wrote:
> >> > > Hi,
> >> > >
> >> > > We are experiencing a strange problem with one of our customer setups
> >> > > relating to user group memberships. Customer has multi-site AD setup
> >> in
> >> > > which our boxes are deployed in multiple sites.
> >> > > In one particular site, we are seeing a difference in group membership
> >> > > details with a user(wbinfo -r <user>). Able to retrieve only few
> >> groups
> >> > > than expected. Whereas other sites we are able to get the correct
> >> results.
> >> >
> >> > A vital piece of info is that this is Samba 3.6.12+ you are talking
> >> > about. The same problem might not exist in the latest sources.
> >> >
> >> > > Initially we thought its AD replication problem, but even after
> >> > > forcing(blocked the traffic with site-local DC) our boxes to contact
> >> PDC
> >> > > did not help.
> >> > >
> >> > > Then I have removed the cache entries for this user from both
> >> > > winbindd_cache.tdb and netsamlogon_cache.tdb. Then it started showing
> >> the
> >> > > correct entries. But after 5 to 6 hours this problem reappears. After
> >> > > cleaning up cache entries in both tdb files, problem will go away.
> >> > >
> >> > > From the code walk-through and debug level logs this is what I
> >> understood.
> >> > > 1. Winbindd receives request GETGROUPS from the client.
> >> > > 2. Initially it will lookup winbindd_cache.tdb and see if there is a
> >> > > "UG/sid" entry for the user. it will return the information in cache
> >> if
> >> > > entry is not expired (I think expiry time is 5 mins).
> >> > > 3. If the entry in winbindd_cache.tdb is expired, then
> >> lookup_usergroups()
> >> > > request will be made.
> >> > > 4. Before contacting the DC to fetch the groups, will search for the
> >> user
> >> > > SID in netsamlogon_cache.tdb. If the entry is found, that information
> >> will
> >> > > be returned.
> >> > > 5. If the entry is not found in netsamlogon_cache.tdb, then DCE-RPC
> >> request
> >> > > will be made using cached kerberos credentials.
> >> > >
> >> > > I came to know that there is no expiry time for the cached entries in
> >> > > netsamlogon_cache.tdb. I have seen the expiry time calculation is
> >> commented
> >> > > out in netsamlogon_cache_get().
> >> > >
> >> > > But I am not really sure why the cache entry in
> >> netsamlogon_cache.tdb() is
> >> > > updated with wrong data due to which the problem is reappearing.
> >>
> >> If all goes well then the netsamlogon_cache is only written
> >> after a successful login. This can happen when a client
> >> authenticates via netlogon or presents a valid kerberos
> >> ticket with a PAC. In the bad case, can you find out where
> >> the bad information comes from? Is it really the netsamlogon
> >> cache that is faulty?
> >>
> >> With best regards,
> >>
> >> Volker Lendecke
> >>
> >> --
> >> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> >> phone: +49-551-370000-0, fax: +49-551-370000-9
> >> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> >> http://www.sernet.de, mailto:kontakt at sernet.de
> >>
> >
> >

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list