Regarding retrieving user group membership using wbinfo.
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Jun 12 07:40:31 MDT 2014
On Thu, Jun 12, 2014 at 06:00:08AM -0700, Richard Sharpe wrote:
> On Thu, Jun 12, 2014 at 5:05 AM, Hemanth Thummala
> <hemanth.thummala at gmail.com> wrote:
> > OK. I have found that group membership information is not complete when user
> > tries to login using Kerberos.
> >
> > In case of Kerberos there is PAC_LOGON_INFO structure which is derived from
> > user's ticket.
> >
> > Structure looks:
> >
> > struct PAC_LOGON_INFO {
> > struct netr_SamInfo3 info3;
> > struct dom_sid2 *res_group_dom_sid;/* [unique] */
> > struct samr_RidWithAttributeArray res_groups;
> > };
>
> The PAC is defined in MS-PAC. The above structure does not seem to
> match anything in MS-PAC.
>
> Does the user belong to groups not in the same domain that their SID is from?
It's highly likely that Samba's librpc/idl/krb5pac.idl gets
the structure names different from what MS-PAC calls them.
The content should be there however, possibly with different
substructuring. I guess what we call res_groups might be
called
ULONG ResourceGroupCount;
[size_is(ResourceGroupCount)]
PGROUP_MEMBERSHIP ResourceGroupIds;
in [MS-PAC]. And you're right, at least in master
source3/auth/user_krb5.c we only look at the info3
substruct, not the res_groups.
Metze, do you have an idea what that really is about?
Thanks,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list