Regarding retrieving user group membership using wbinfo.

Richard Sharpe realrichardsharpe at gmail.com
Sun Jun 15 16:15:02 MDT 2014


On Sun, Jun 15, 2014 at 11:28 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Sun, Jun 15, 2014 at 11:01 AM, Hemanth Thummala
> <hemanth.thummala at gmail.com> wrote:
>> I am able to reproduce the issue. Domain local group membership information
>> is not shown when the user login using Kerberos. Whereas the membership
>> information is shown complete on NTLM authentication. I am yet to give a try
>> in trusted domain scenario.
>>
>> Found Microsoft documentation for this case:
>> http://support.microsoft.com/kb/2774190
>>
>> In our case, customer is reluctant to change any authentication/ group
>> policy related changes. So I am planning to work on the changes to fix this
>> issue.
>>
>> Looks like proposed changes in
>> https://lists.samba.org/archive/samba-technical/2013-April/091302.html can
>> resolve the issue. As Volker mentioned, need to come with a common routine
>> which will take care of copying resource group information to info3
>> structure in all the(three) places.
>>
>> But I am not sure if the suggested piece of code can cover the trusted
>> domain use case as well. Because I found this from Markus Baier's response.
>> ...
>> This solution works for me, but I think it will fail if the Server with the
>> resources the client is authenticating to is not in the same domain as the
>> Kerberos KDC that perform the authentication server
>> ticket request. In this case the logon domain and the resource domain should
>> be different and it is not possible to integrate the rids from
>> res_groups.rids in the info3->base.groups.rids array.
>> ...
>
> Putting that in pam_winbindd is probably the wrong place.
>
> I have posted a possible fix, but it might need to change a bit.
>
> The key is making sure that you get the correct info3 structure so
> that it both gets placed into the cache and the token is correctly
> generated.
>
> Since you have a repro, you might try my (second) patch of yesterday
> to see if it does indeed generate the correct token and etc.
>
> No guarantees because I cannot test as yet, but at least it compiles.
> However, I am still not sure that it does the correct things in the
> case that resource SID compression is disabled on Server 2012.

Also, fixing the problem in winbindd_pam.c, from your point of view,
is not enough. If the token used in the smbd is not correct, then the
users will be unhappy, and even if you are storing the correct thing
in winbindd_pam.c, that will not make the smbds get the correct token,
because the auth code path uses the PAC directly from the ticket when
generating the token in the Kerberos case.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list