Regarding retrieving user group membership using wbinfo.
Richard Sharpe
realrichardsharpe at gmail.com
Thu Jun 12 18:35:23 MDT 2014
On Thu, Jun 12, 2014 at 9:43 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Thu, Jun 12, 2014 at 9:10 AM, Simo <simo at samba.org> wrote:
>> On Thu, 2014-06-12 at 16:59 +0200, Volker Lendecke wrote:
>>> On Thu, Jun 12, 2014 at 10:55:17AM -0400, Simo wrote:
>>> > On Thu, 2014-06-12 at 07:48 -0700, Richard Sharpe wrote:
>>> > > No. It is not SID compression. If I am reading the IDL correctly, we
>>> > > think PAC contains a SamInfo3, bit it does not. It contains most of a
>>> > > SamInfo4 but defines it own structure.
>>> >
>>> > There are 3/4 ways to lists SIDs in a PAC structure, one is the classic
>>> > way with only sids related to the domain, then a extra sid field with
>>> > sull SIDs not related to the domain, then a sid compression feature (to
>>> > reduce space, but still list extra sids) and I forgot if the Claim stuff
>>> > added a 4th way to lists SIDs or if it reuses one of the above.
>>> >
>>> > It certainly isn't Sam Info3 and hasn't been for quite a while.
>>>
>>> So a simple way to get this done is to expand
>>> PAC_LOGON_INFO.info3.sids with SIDs that are prefixed by
>>> PAC_LOGON_INFO.res_group_dom_sid extended with RIDs from
>>> PAC_LOGON_INFO.res_groups, right? Sounds like a pretty
>>> simple patch, the problem is -- where should we put it
>>> exactly? :-)
>>
>> That's a good question.
>> The least disruptive thing I can think of on the spot would be to change
>> the PAC to use the latest documented structure MS references in the docs
>> (Info4 ?) and then translate to Info3 by using accessors functions in
>> any code that touches the PAC (which should be few).
>
> Right. This is the structure that Microsoft defines
>
> typedef struct _KERB_VALIDATION_INFO {
> FILETIME LogonTime;
> FILETIME LogoffTime;
> FILETIME KickOffTime;
> FILETIME PasswordLastSet;
> FILETIME PasswordCanChange;
> FILETIME PasswordMustChange;
> RPC_UNICODE_STRING EffectiveName;
> RPC_UNICODE_STRING FullName;
> RPC_UNICODE_STRING LogonScript;
> RPC_UNICODE_STRING ProfilePath;
> RPC_UNICODE_STRING HomeDirectory;
> RPC_UNICODE_STRING HomeDirectoryDrive;
> USHORT LogonCount;
> USHORT BadPasswordCount;
> ULONG UserId;
> ULONG PrimaryGroupId;
> ULONG GroupCount;
> [size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
> ULONG UserFlags;
> USER_SESSION_KEY UserSessionKey;
> RPC_UNICODE_STRING LogonServer;
> RPC_UNICODE_STRING LogonDomainName;
> PISID LogonDomainId;
> ULONG Reserved1[2];
> ULONG UserAccountControl;
> ULONG SubAuthStatus;
> FILETIME LastSuccessfulILogon;
> FILETIME LastFailedILogon;
> ULONG FailedILogonCount;
> ULONG Reserved3;
>
> # We get it correct, mostly, to here (we have a UINT32 unknown[7] over
> the last five fields, I believe.
>
> ULONG SidCount;
> [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
> PISID ResourceGroupDomainSid;
> ULONG ResourceGroupCount;
> [size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
> } KERB_VALIDATION_INFO;
>
> After what we think is a SamInfo3 we assume that resource SIDs follow,
> so if there are extra SIDs, we miss them completely.
>
> Hemanth, the way to test this is to set up a forest with multiple
> domains, join DOM A, and create a user who has groups in DOM A and DOM
> B, and then see if the same problem occurs.
OK, it looks like I was mistaken WRT master. In master, we have, from
krb5pac.idl:
typedef struct {
netr_SamInfo3 info3;
dom_sid2 *res_group_dom_sid;
samr_RidWithAttributeArray res_groups;
} PAC_LOGON_INFO;
and from netlogon.idl:
typedef [public] struct {
netr_SamBaseInfo base;
uint32 sidcount;
[size_is(sidcount)] netr_SidAttr *sids;
} netr_SamInfo3;
Which matches what MS-PAC defines down to and including ExtraSIDs as
far as I can see, and then we have the resource SIDs after that.
So, now to look at the source for Samba 3.6.x.
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list