Regarding retrieving user group membership using wbinfo.

Thu Jun 12 07:00:08 MDT 2014

On Thu, Jun 12, 2014 at 5:05 AM, Hemanth Thummala
<hemanth.thummala at gmail.com> wrote:
> OK. I have found that group membership information is not complete when user
> tries to login using Kerberos.
>
> In case of Kerberos there is PAC_LOGON_INFO structure which is derived from
> user's ticket.
>
> Structure looks:
>
> struct PAC_LOGON_INFO {
> struct netr_SamInfo3 info3;
> struct dom_sid2 *res_group_dom_sid;/* [unique] */
> struct samr_RidWithAttributeArray res_groups;
> };

The PAC is defined in MS-PAC. The above structure does not seem to
match anything in MS-PAC.

Does the user belong to groups not in the same domain that their SID is from?

> The user in question has some extra SID information along primary groups.
> But I am not sure what exactly these extra SID details. Not much
> documentation about this in code. But this data also treated as groups in
> which user is member of.
>
> This extra SID information is packed as part of res_groups in the PAC
> structure. Whereas in case of NTLM, it is packed in info3 structure itself.
>
> But In both(NTLM or Kerberos) the cases, we pass info3 structure only to
> netsamlogon_cache_store(). This end up having less mappings in cache in case
> of Kerberos.
>
> Either we need to parse the group membership information to "info3" in both
> the cases, or we need to have separate routine to update netsamlogon_cache
> inorder tp read res_groups.
>
> Thanks,
> Hemanth.
>
>
>
> On Mon, Jun 9, 2014 at 10:13 PM, Volker Lendecke <Volker.Lendecke at sernet.de>
> wrote:
>>
>> On Mon, Jun 09, 2014 at 07:50:29PM +0530, Hemanth Thummala wrote:
>> > OK. In a different test box, I am able to view the netr_LogonSamLogonEx
>> > response in winbindd.log. Not sure, I was unable to see in the box that
>> > I
>> > was working earlier.
>> >
>> > Here is the data that I am seeing in winbindd.log after running command
>> > "wbinfo -a usera%password".
>> >
>> > [2014/06/09 07:05:33.007821,  1]
>> > ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>> >        netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
>> >           out: struct netr_LogonSamLogonEx
>>
>> Yes, that is exactly what I was looking for. There is
>> similar output from smbd when dissecting the PAC, giving
>> exactly the same information.
>>
>> Volker
>>
>> --
>> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
>> phone: +49-551-370000-0, fax: +49-551-370000-9
>> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>> http://www.sernet.de, mailto:kontakt at sernet.de
>
>

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)