Regarding retrieving user group membership using wbinfo.

Andrew Bartlett abartlet at
Thu Jun 12 19:44:53 MDT 2014

On Thu, 2014-06-12 at 16:59 +0200, Volker Lendecke wrote:
> On Thu, Jun 12, 2014 at 10:55:17AM -0400, Simo wrote:
> > On Thu, 2014-06-12 at 07:48 -0700, Richard Sharpe wrote:
> > > No. It is not SID compression. If I am reading the IDL correctly, we
> > > think  PAC contains a SamInfo3, bit it does not. It contains most of a
> > > SamInfo4 but defines it own structure.
> > 
> > There are 3/4 ways to lists SIDs in a PAC structure, one is the classic
> > way with only sids related to the domain, then a extra sid field with
> > sull SIDs not related to the domain, then a sid compression feature (to
> > reduce space, but still list extra sids) and I forgot if the Claim stuff
> > added a 4th way to lists SIDs or if it reuses one of the above.
> > 
> > It certainly isn't Sam Info3 and hasn't been for quite a while.
> So a simple way to get this done is to expand
> PAC_LOGON_INFO.info3.sids with SIDs that are prefixed by
> PAC_LOGON_INFO.res_group_dom_sid extended with RIDs from
> PAC_LOGON_INFO.res_groups, right? Sounds like a pretty
> simple patch, the problem is -- where should we put it
> exactly? :-)

Yes, I think this is the simplest option at the moment.  See my other
mail for the sorry history of this saga.

I had been opposed to changing the structure contents from the
'pristine' structure given by the DC, but all the alternatives are much

As to where, I think that a common function should be called from

	*info3 = &logon_info->info3;

		netsamlogon_cache_store(NULL, &logon_info->info3);

	/* save the PAC data if we have it */
	if (logon_info) {
		netsamlogon_cache_store(ntuser, &logon_info->info3);

In short, we should not directly de-reference for the info3, we should
generate a new one with the expanded groups, and return that.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list