Regarding retrieving user group membership using wbinfo.

Andrew Bartlett abartlet at samba.org
Thu Jun 12 19:44:53 MDT 2014 

On Thu, 2014-06-12 at 16:59 +0200, Volker Lendecke wrote:
> On Thu, Jun 12, 2014 at 10:55:17AM -0400, Simo wrote:
> > On Thu, 2014-06-12 at 07:48 -0700, Richard Sharpe wrote:
> > > No. It is not SID compression. If I am reading the IDL correctly, we
> > > think  PAC contains a SamInfo3, bit it does not. It contains most of a
> > > SamInfo4 but defines it own structure.
> > 
> > There are 3/4 ways to lists SIDs in a PAC structure, one is the classic
> > way with only sids related to the domain, then a extra sid field with
> > sull SIDs not related to the domain, then a sid compression feature (to
> > reduce space, but still list extra sids) and I forgot if the Claim stuff
> > added a 4th way to lists SIDs or if it reuses one of the above.
> > 
> > It certainly isn't Sam Info3 and hasn't been for quite a while.
> 
> So a simple way to get this done is to expand
> PAC_LOGON_INFO.info3.sids with SIDs that are prefixed by
> PAC_LOGON_INFO.res_group_dom_sid extended with RIDs from
> PAC_LOGON_INFO.res_groups, right? Sounds like a pretty
> simple patch, the problem is -- where should we put it
> exactly? :-)

Yes, I think this is the simplest option at the moment.  See my other
mail for the sorry history of this saga.

I had been opposed to changing the structure contents from the
'pristine' structure given by the DC, but all the alternatives are much
worse. 

As to where, I think that a common function should be called from
before:

source3/winbindd/winbind_pam.c:winbindd_raw_kerberos_login()
	*info3 = &logon_info->info3;

source3/winbindd/winbind_pam.c:winbindd_pam_auth_pac_send()
		netsamlogon_cache_store(NULL, &logon_info->info3);

source3/auth/auth_generic.c:auth3_generate_session_info_pac()
	/* save the PAC data if we have it */
	if (logon_info) {
		netsamlogon_cache_store(ntuser, &logon_info->info3);
	}

In short, we should not directly de-reference for the info3, we should
generate a new one with the expanded groups, and return that.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list