Regarding retrieving user group membership using wbinfo.

Simo simo at
Thu Jun 12 10:10:51 MDT 2014

On Thu, 2014-06-12 at 16:59 +0200, Volker Lendecke wrote:
> On Thu, Jun 12, 2014 at 10:55:17AM -0400, Simo wrote:
> > On Thu, 2014-06-12 at 07:48 -0700, Richard Sharpe wrote:
> > > No. It is not SID compression. If I am reading the IDL correctly, we
> > > think  PAC contains a SamInfo3, bit it does not. It contains most of a
> > > SamInfo4 but defines it own structure.
> > 
> > There are 3/4 ways to lists SIDs in a PAC structure, one is the classic
> > way with only sids related to the domain, then a extra sid field with
> > sull SIDs not related to the domain, then a sid compression feature (to
> > reduce space, but still list extra sids) and I forgot if the Claim stuff
> > added a 4th way to lists SIDs or if it reuses one of the above.
> > 
> > It certainly isn't Sam Info3 and hasn't been for quite a while.
> So a simple way to get this done is to expand
> PAC_LOGON_INFO.info3.sids with SIDs that are prefixed by
> PAC_LOGON_INFO.res_group_dom_sid extended with RIDs from
> PAC_LOGON_INFO.res_groups, right? Sounds like a pretty
> simple patch, the problem is -- where should we put it
> exactly? :-)

That's a good question.
The least disruptive thing I can think of on the spot would be to change
the PAC to use the latest documented structure MS references in the docs
(Info4 ?) and then translate to Info3 by using accessors functions in
any code that touches the PAC (which should be few).

I know I need to be able to also access the raw structure of the PAC in
FreeIPA so I would avoid hacks and translating in the NDR code.


More information about the samba-technical mailing list