Regarding retrieving user group membership using wbinfo.

Richard Sharpe realrichardsharpe at
Sun Jun 15 12:28:33 MDT 2014

On Sun, Jun 15, 2014 at 11:01 AM, Hemanth Thummala
<hemanth.thummala at> wrote:
> I am able to reproduce the issue. Domain local group membership information
> is not shown when the user login using Kerberos. Whereas the membership
> information is shown complete on NTLM authentication. I am yet to give a try
> in trusted domain scenario.
> Found Microsoft documentation for this case:
> In our case, customer is reluctant to change any authentication/ group
> policy related changes. So I am planning to work on the changes to fix this
> issue.
> Looks like proposed changes in
> can
> resolve the issue. As Volker mentioned, need to come with a common routine
> which will take care of copying resource group information to info3
> structure in all the(three) places.
> But I am not sure if the suggested piece of code can cover the trusted
> domain use case as well. Because I found this from Markus Baier's response.
> ...
> This solution works for me, but I think it will fail if the Server with the
> resources the client is authenticating to is not in the same domain as the
> Kerberos KDC that perform the authentication server
> ticket request. In this case the logon domain and the resource domain should
> be different and it is not possible to integrate the rids from
> res_groups.rids in the info3->base.groups.rids array.
> ...

Putting that in pam_winbindd is probably the wrong place.

I have posted a possible fix, but it might need to change a bit.

The key is making sure that you get the correct info3 structure so
that it both gets placed into the cache and the token is correctly

Since you have a repro, you might try my (second) patch of yesterday
to see if it does indeed generate the correct token and etc.

No guarantees because I cannot test as yet, but at least it compiles.
However, I am still not sure that it does the correct things in the
case that resource SID compression is disabled on Server 2012.

Richard Sharpe

More information about the samba-technical mailing list