Regarding retrieving user group membership using wbinfo.

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jun 12 07:40:31 MDT 2014

On Thu, Jun 12, 2014 at 06:00:08AM -0700, Richard Sharpe wrote:
> On Thu, Jun 12, 2014 at 5:05 AM, Hemanth Thummala
> <hemanth.thummala at> wrote:
> > OK. I have found that group membership information is not complete when user
> > tries to login using Kerberos.
> >
> > In case of Kerberos there is PAC_LOGON_INFO structure which is derived from
> > user's ticket.
> >
> > Structure looks:
> >
> > struct PAC_LOGON_INFO {
> > struct netr_SamInfo3 info3;
> > struct dom_sid2 *res_group_dom_sid;/* [unique] */
> > struct samr_RidWithAttributeArray res_groups;
> > };
> The PAC is defined in MS-PAC. The above structure does not seem to
> match anything in MS-PAC.
> Does the user belong to groups not in the same domain that their SID is from?

It's highly likely that Samba's librpc/idl/krb5pac.idl gets
the structure names different from what MS-PAC calls them.
The content should be there however, possibly with different
substructuring. I guess what we call res_groups might be

    ULONG ResourceGroupCount;
    PGROUP_MEMBERSHIP ResourceGroupIds;

in [MS-PAC]. And you're right, at least in master
source3/auth/user_krb5.c we only look at the info3
substruct, not the res_groups.

Metze, do you have an idea what that really is about?



SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list