Regarding retrieving user group membership using wbinfo.

Sun Jun 15 18:57:26 MDT 2014

On Sun, Jun 15, 2014 at 3:15 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Sun, Jun 15, 2014 at 11:28 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> On Sun, Jun 15, 2014 at 11:01 AM, Hemanth Thummala
>> <hemanth.thummala at gmail.com> wrote:
>>> I am able to reproduce the issue. Domain local group membership information
>>> is not shown when the user login using Kerberos. Whereas the membership
>>> information is shown complete on NTLM authentication. I am yet to give a try
>>> in trusted domain scenario.
>>>
>>> Found Microsoft documentation for this case:
>>> http://support.microsoft.com/kb/2774190
>>>
>>> In our case, customer is reluctant to change any authentication/ group
>>> policy related changes. So I am planning to work on the changes to fix this
>>> issue.
>>>
>>> Looks like proposed changes in
>>> https://lists.samba.org/archive/samba-technical/2013-April/091302.html can
>>> resolve the issue. As Volker mentioned, need to come with a common routine
>>> which will take care of copying resource group information to info3
>>> structure in all the(three) places.
>>>
>>> But I am not sure if the suggested piece of code can cover the trusted
>>> domain use case as well. Because I found this from Markus Baier's response.
>>> ...
>>> This solution works for me, but I think it will fail if the Server with the
>>> resources the client is authenticating to is not in the same domain as the
>>> Kerberos KDC that perform the authentication server
>>> ticket request. In this case the logon domain and the resource domain should
>>> be different and it is not possible to integrate the rids from
>>> res_groups.rids in the info3->base.groups.rids array.
>>> ...
>>
>> Putting that in pam_winbindd is probably the wrong place.
>>
>> I have posted a possible fix, but it might need to change a bit.

Attached is a slightly reworked patch for Hemanth to try if he has time.

Possible deficiencies:

1. It modifies the info3 extra sids in place rather than creating a new one.
2. It does not distinguish between the compressed SIDs being in the same domain
as the user or a different domain (and thus perhaps should add them to
groups or sids depending on that question),

Depending on feedback I can clean it up further and submit it with a
signed-off-by etc.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sid-compression.patch
Type: text/x-patch
Size: 4381 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140615/49cf5eda/attachment.bin>