Regarding retrieving user group membership using wbinfo.
Hemanth Thummala
hemanth.thummala at gmail.com
Thu Jun 12 06:05:44 MDT 2014
OK. I have found that group membership information is not complete when
user tries to login using Kerberos.
In case of Kerberos there is PAC_LOGON_INFO structure which is derived from
user's ticket.
Structure looks:
struct PAC_LOGON_INFO {
struct netr_SamInfo3 info3;
struct dom_sid2 *res_group_dom_sid;/* [unique] */
struct samr_RidWithAttributeArray res_groups;
};
The user in question has some extra SID information along primary groups.
But I am not sure what exactly these extra SID details. Not much
documentation about this in code. But this data also treated as groups in
which user is member of.
This extra SID information is packed as part of res_groups in the PAC
structure. Whereas in case of NTLM, it is packed in info3 structure itself.
But In both(NTLM or Kerberos) the cases, we pass info3 structure only to
netsamlogon_cache_store(). This end up having less mappings in cache in
case of Kerberos.
Either we need to parse the group membership information to "info3" in both
the cases, or we need to have separate routine to update netsamlogon_cache
inorder tp read res_groups.
Thanks,
Hemanth.
On Mon, Jun 9, 2014 at 10:13 PM, Volker Lendecke <Volker.Lendecke at sernet.de>
wrote:
> On Mon, Jun 09, 2014 at 07:50:29PM +0530, Hemanth Thummala wrote:
> > OK. In a different test box, I am able to view the netr_LogonSamLogonEx
> > response in winbindd.log. Not sure, I was unable to see in the box that I
> > was working earlier.
> >
> > Here is the data that I am seeing in winbindd.log after running command
> > "wbinfo -a usera%password".
> >
> > [2014/06/09 07:05:33.007821, 1]
> > ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> > netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
> > out: struct netr_LogonSamLogonEx
>
> Yes, that is exactly what I was looking for. There is
> similar output from smbd when dissecting the PAC, giving
> exactly the same information.
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>
More information about the samba-technical
mailing list