Regarding retrieving user group membership using wbinfo.
Andrew Bartlett
abartlet at samba.org
Thu Jun 12 19:33:39 MDT 2014
On Thu, 2014-06-12 at 10:27 -0400, Simo wrote:
> On Thu, 2014-06-12 at 15:40 +0200, Volker Lendecke wrote:
> > On Thu, Jun 12, 2014 at 06:00:08AM -0700, Richard Sharpe wrote:
> > > On Thu, Jun 12, 2014 at 5:05 AM, Hemanth Thummala
> > > <hemanth.thummala at gmail.com> wrote:
> > > > OK. I have found that group membership information is not complete when user
> > > > tries to login using Kerberos.
> > > >
> > > > In case of Kerberos there is PAC_LOGON_INFO structure which is derived from
> > > > user's ticket.
> > > >
> > > > Structure looks:
> > > >
> > > > struct PAC_LOGON_INFO {
> > > > struct netr_SamInfo3 info3;
> > > > struct dom_sid2 *res_group_dom_sid;/* [unique] */
> > > > struct samr_RidWithAttributeArray res_groups;
> > > > };
> > >
> > > The PAC is defined in MS-PAC. The above structure does not seem to
> > > match anything in MS-PAC.
> > >
> > > Does the user belong to groups not in the same domain that their SID is from?
> >
> > It's highly likely that Samba's librpc/idl/krb5pac.idl gets
> > the structure names different from what MS-PAC calls them.
> > The content should be there however, possibly with different
> > substructuring. I guess what we call res_groups might be
> > called
> >
> > ULONG ResourceGroupCount;
> > [size_is(ResourceGroupCount)]
> > PGROUP_MEMBERSHIP ResourceGroupIds;
> >
> > in [MS-PAC]. And you're right, at least in master
> > source3/auth/user_krb5.c we only look at the info3
> > substruct, not the res_groups.
> >
> > Metze, do you have an idea what that really is about?
>
> I think we do not support SID compression yet ... :-(
>
> Simo.
Indeed. The last thread about this is here:
https://lists.samba.org/archive/samba-technical/2013-April/091302.html
Sadly I poured cold water on it here:
https://lists.samba.org/archive/samba-technical/2013-April/091306.html
and only in March this year did I drag it back up to say that it is
probably the best available option:
http://marc.info/?l=samba-technical&m=139475847418784&w=2
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list