Regarding retrieving user group membership using wbinfo.
Richard Sharpe
realrichardsharpe at gmail.com
Sun Jun 15 12:28:33 MDT 2014
On Sun, Jun 15, 2014 at 11:01 AM, Hemanth Thummala
<hemanth.thummala at gmail.com> wrote:
> I am able to reproduce the issue. Domain local group membership information
> is not shown when the user login using Kerberos. Whereas the membership
> information is shown complete on NTLM authentication. I am yet to give a try
> in trusted domain scenario.
>
> Found Microsoft documentation for this case:
> http://support.microsoft.com/kb/2774190
>
> In our case, customer is reluctant to change any authentication/ group
> policy related changes. So I am planning to work on the changes to fix this
> issue.
>
> Looks like proposed changes in
> https://lists.samba.org/archive/samba-technical/2013-April/091302.html can
> resolve the issue. As Volker mentioned, need to come with a common routine
> which will take care of copying resource group information to info3
> structure in all the(three) places.
>
> But I am not sure if the suggested piece of code can cover the trusted
> domain use case as well. Because I found this from Markus Baier's response.
> ...
> This solution works for me, but I think it will fail if the Server with the
> resources the client is authenticating to is not in the same domain as the
> Kerberos KDC that perform the authentication server
> ticket request. In this case the logon domain and the resource domain should
> be different and it is not possible to integrate the rids from
> res_groups.rids in the info3->base.groups.rids array.
> ...
Putting that in pam_winbindd is probably the wrong place.
I have posted a possible fix, but it might need to change a bit.
The key is making sure that you get the correct info3 structure so
that it both gets placed into the cache and the token is correctly
generated.
Since you have a repro, you might try my (second) patch of yesterday
to see if it does indeed generate the correct token and etc.
No guarantees because I cannot test as yet, but at least it compiles.
However, I am still not sure that it does the correct things in the
case that resource SID compression is disabled on Server 2012.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list