Regarding retrieving user group membership using wbinfo.

Thu Jun 12 08:16:33 MDT 2014

Actually,

After looking at the structures in master I dont think we understand them.
MSPAC refers to a SAM_INFO4 structure. It would seem that we have problems
with extra sids in the PAC.
 On Jun 12, 2014 6:40 AM, "Volker Lendecke" <Volker.Lendecke at sernet.de>
wrote:

> On Thu, Jun 12, 2014 at 06:00:08AM -0700, Richard Sharpe wrote:
> > On Thu, Jun 12, 2014 at 5:05 AM, Hemanth Thummala
> > <hemanth.thummala at gmail.com> wrote:
> > > OK. I have found that group membership information is not complete
> when user
> > > tries to login using Kerberos.
> > >
> > > In case of Kerberos there is PAC_LOGON_INFO structure which is derived
> from
> > > user's ticket.
> > >
> > > Structure looks:
> > >
> > > struct PAC_LOGON_INFO {
> > > struct netr_SamInfo3 info3;
> > > struct dom_sid2 *res_group_dom_sid;/* [unique] */
> > > struct samr_RidWithAttributeArray res_groups;
> > > };
> >
> > The PAC is defined in MS-PAC. The above structure does not seem to
> > match anything in MS-PAC.
> >
> > Does the user belong to groups not in the same domain that their SID is
> from?
>
> It's highly likely that Samba's librpc/idl/krb5pac.idl gets
> the structure names different from what MS-PAC calls them.
> The content should be there however, possibly with different
> substructuring. I guess what we call res_groups might be
> called
>
>     ULONG ResourceGroupCount;
>     [size_is(ResourceGroupCount)]
>     PGROUP_MEMBERSHIP ResourceGroupIds;
>
> in [MS-PAC]. And you're right, at least in master
> source3/auth/user_krb5.c we only look at the info3
> substruct, not the res_groups.
>
> Metze, do you have an idea what that really is about?
>
> Thanks,
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>