Regarding retrieving user group membership using wbinfo.
realrichardsharpe at gmail.com
Sun Jun 15 18:57:26 MDT 2014
On Sun, Jun 15, 2014 at 3:15 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Sun, Jun 15, 2014 at 11:28 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> On Sun, Jun 15, 2014 at 11:01 AM, Hemanth Thummala
>> <hemanth.thummala at gmail.com> wrote:
>>> I am able to reproduce the issue. Domain local group membership information
>>> is not shown when the user login using Kerberos. Whereas the membership
>>> information is shown complete on NTLM authentication. I am yet to give a try
>>> in trusted domain scenario.
>>> Found Microsoft documentation for this case:
>>> In our case, customer is reluctant to change any authentication/ group
>>> policy related changes. So I am planning to work on the changes to fix this
>>> Looks like proposed changes in
>>> https://lists.samba.org/archive/samba-technical/2013-April/091302.html can
>>> resolve the issue. As Volker mentioned, need to come with a common routine
>>> which will take care of copying resource group information to info3
>>> structure in all the(three) places.
>>> But I am not sure if the suggested piece of code can cover the trusted
>>> domain use case as well. Because I found this from Markus Baier's response.
>>> This solution works for me, but I think it will fail if the Server with the
>>> resources the client is authenticating to is not in the same domain as the
>>> Kerberos KDC that perform the authentication server
>>> ticket request. In this case the logon domain and the resource domain should
>>> be different and it is not possible to integrate the rids from
>>> res_groups.rids in the info3->base.groups.rids array.
>> Putting that in pam_winbindd is probably the wrong place.
>> I have posted a possible fix, but it might need to change a bit.
Attached is a slightly reworked patch for Hemanth to try if he has time.
1. It modifies the info3 extra sids in place rather than creating a new one.
2. It does not distinguish between the compressed SIDs being in the same domain
as the user or a different domain (and thus perhaps should add them to
groups or sids depending on that question),
Depending on feedback I can clean it up further and submit it with a
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4381 bytes
Desc: not available
More information about the samba-technical