Regarding retrieving user group membership using wbinfo.
Richard Sharpe
realrichardsharpe at gmail.com
Fri Jun 13 21:15:42 MDT 2014
On Thu, Jun 12, 2014 at 5:35 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Thu, Jun 12, 2014 at 9:43 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> On Thu, Jun 12, 2014 at 9:10 AM, Simo <simo at samba.org> wrote:
>>> On Thu, 2014-06-12 at 16:59 +0200, Volker Lendecke wrote:
>>>> On Thu, Jun 12, 2014 at 10:55:17AM -0400, Simo wrote:
>>>> > On Thu, 2014-06-12 at 07:48 -0700, Richard Sharpe wrote:
>>>> > > No. It is not SID compression. If I am reading the IDL correctly, we
>>>> > > think PAC contains a SamInfo3, bit it does not. It contains most of a
>>>> > > SamInfo4 but defines it own structure.
>>>> >
>>>> > There are 3/4 ways to lists SIDs in a PAC structure, one is the classic
>>>> > way with only sids related to the domain, then a extra sid field with
>>>> > sull SIDs not related to the domain, then a sid compression feature (to
>>>> > reduce space, but still list extra sids) and I forgot if the Claim stuff
>>>> > added a 4th way to lists SIDs or if it reuses one of the above.
>>>> >
>>>> > It certainly isn't Sam Info3 and hasn't been for quite a while.
>>>>
>>>> So a simple way to get this done is to expand
>>>> PAC_LOGON_INFO.info3.sids with SIDs that are prefixed by
>>>> PAC_LOGON_INFO.res_group_dom_sid extended with RIDs from
>>>> PAC_LOGON_INFO.res_groups, right? Sounds like a pretty
>>>> simple patch, the problem is -- where should we put it
>>>> exactly? :-)
>>>
>>> That's a good question.
>>> The least disruptive thing I can think of on the spot would be to change
>>> the PAC to use the latest documented structure MS references in the docs
>>> (Info4 ?) and then translate to Info3 by using accessors functions in
>>> any code that touches the PAC (which should be few).
>>
>> Right. This is the structure that Microsoft defines
>>
>> typedef struct _KERB_VALIDATION_INFO {
>> FILETIME LogonTime;
>> FILETIME LogoffTime;
>> FILETIME KickOffTime;
>> FILETIME PasswordLastSet;
>> FILETIME PasswordCanChange;
>> FILETIME PasswordMustChange;
>> RPC_UNICODE_STRING EffectiveName;
>> RPC_UNICODE_STRING FullName;
>> RPC_UNICODE_STRING LogonScript;
>> RPC_UNICODE_STRING ProfilePath;
>> RPC_UNICODE_STRING HomeDirectory;
>> RPC_UNICODE_STRING HomeDirectoryDrive;
>> USHORT LogonCount;
>> USHORT BadPasswordCount;
>> ULONG UserId;
>> ULONG PrimaryGroupId;
>> ULONG GroupCount;
>> [size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
>> ULONG UserFlags;
>> USER_SESSION_KEY UserSessionKey;
>> RPC_UNICODE_STRING LogonServer;
>> RPC_UNICODE_STRING LogonDomainName;
>> PISID LogonDomainId;
>> ULONG Reserved1[2];
>> ULONG UserAccountControl;
>> ULONG SubAuthStatus;
>> FILETIME LastSuccessfulILogon;
>> FILETIME LastFailedILogon;
>> ULONG FailedILogonCount;
>> ULONG Reserved3;
>>
>> # We get it correct, mostly, to here (we have a UINT32 unknown[7] over
>> the last five fields, I believe.
>>
>> ULONG SidCount;
>> [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
>> PISID ResourceGroupDomainSid;
>> ULONG ResourceGroupCount;
>> [size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
>> } KERB_VALIDATION_INFO;
>>
>> After what we think is a SamInfo3 we assume that resource SIDs follow,
>> so if there are extra SIDs, we miss them completely.
>>
>> Hemanth, the way to test this is to set up a forest with multiple
>> domains, join DOM A, and create a user who has groups in DOM A and DOM
>> B, and then see if the same problem occurs.
>
> OK, it looks like I was mistaken WRT master. In master, we have, from
> krb5pac.idl:
>
> typedef struct {
> netr_SamInfo3 info3;
> dom_sid2 *res_group_dom_sid;
> samr_RidWithAttributeArray res_groups;
> } PAC_LOGON_INFO;
>
> and from netlogon.idl:
>
> typedef [public] struct {
> netr_SamBaseInfo base;
> uint32 sidcount;
> [size_is(sidcount)] netr_SidAttr *sids;
> } netr_SamInfo3;
>
> Which matches what MS-PAC defines down to and including ExtraSIDs as
> far as I can see, and then we have the resource SIDs after that.
>
> So, now to look at the source for Samba 3.6.x.
OK, it looks like the problem is in make_session_info_krb5:
NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntuser,
char *ntdomain,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info)
{
NTSTATUS status;
struct auth_serversupplied_info *server_info;
if (mapped_to_guest) {
status = make_server_info_guest(mem_ctx, &server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_guest failed: %s!\n",
nt_errstr(status)));
return status;
}
} else if (logon_info) {
/* pass the unmapped username here since map_username()
will be called again in make_server_info_info3() */
status = make_server_info_info3(mem_ctx,
ntuser, ntdomain,
&server_info,
&logon_info->info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_info3 failed: %s!\n",
nt_errstr(status)));
return status;
}
If we have the logon_info we don't check if the PAC contains resource
SIDs. Of course, we would have to passed the flags from the PAC to
figure that out.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list