Regarding retrieving user group membership using wbinfo.

Alexander Bokovoy ab at
Fri Jun 13 02:04:25 MDT 2014

On Fri, Jun 13, 2014 at 4:44 AM, Andrew Bartlett <abartlet at> wrote:
> On Thu, 2014-06-12 at 16:59 +0200, Volker Lendecke wrote:
>> On Thu, Jun 12, 2014 at 10:55:17AM -0400, Simo wrote:
>> > On Thu, 2014-06-12 at 07:48 -0700, Richard Sharpe wrote:
>> > > No. It is not SID compression. If I am reading the IDL correctly, we
>> > > think  PAC contains a SamInfo3, bit it does not. It contains most of a
>> > > SamInfo4 but defines it own structure.
>> >
>> > There are 3/4 ways to lists SIDs in a PAC structure, one is the classic
>> > way with only sids related to the domain, then a extra sid field with
>> > sull SIDs not related to the domain, then a sid compression feature (to
>> > reduce space, but still list extra sids) and I forgot if the Claim stuff
>> > added a 4th way to lists SIDs or if it reuses one of the above.
>> >
>> > It certainly isn't Sam Info3 and hasn't been for quite a while.
>> So a simple way to get this done is to expand
>> PAC_LOGON_INFO.info3.sids with SIDs that are prefixed by
>> PAC_LOGON_INFO.res_group_dom_sid extended with RIDs from
>> PAC_LOGON_INFO.res_groups, right? Sounds like a pretty
>> simple patch, the problem is -- where should we put it
>> exactly? :-)
> Yes, I think this is the simplest option at the moment.  See my other
> mail for the sorry history of this saga.
> I had been opposed to changing the structure contents from the
> 'pristine' structure given by the DC, but all the alternatives are much
> worse.
> As to where, I think that a common function should be called from
> before:
> source3/winbindd/winbind_pam.c:winbindd_raw_kerberos_login()
>         *info3 = &logon_info->info3;
> source3/winbindd/winbind_pam.c:winbindd_pam_auth_pac_send()
>                 netsamlogon_cache_store(NULL, &logon_info->info3);
> source3/auth/auth_generic.c:auth3_generate_session_info_pac()
>         /* save the PAC data if we have it */
>         if (logon_info) {
>                 netsamlogon_cache_store(ntuser, &logon_info->info3);
>         }
> In short, we should not directly de-reference for the info3, we should
> generate a new one with the expanded groups, and return that.
As long as we don't get the PAC with expanded SIDs re-signed, it should be OK.
Note that re-signing will happen over cross-realm trust boundary and
there we better keep the original state of MS-PAC with RIDs to avoid
various problems with kernel/userspace boundaries due to expanded size
of the ticket.

/ Alexander Bokovoy

More information about the samba-technical mailing list