SID Compression and member servers ...

Richard Sharpe realrichardsharpe at
Mon Jun 16 07:20:57 MDT 2014

On Mon, Jun 16, 2014 at 3:55 AM, Hemanth Thummala
<hemanth.thummala at> wrote:
> I have tested these changes (applied to our 3.6 sources). Fix is working
> fine. Able to retrieve the full group membership even after user logs in
> using Kerberos.

OK, this is good. Now, being able to retrieve the full group
membership with wbinfo is good, the real test is access permissions.

Did you create a directory that allows the creation of files, for
example, only with membership in one of those groups.

If the groups did not get into the token then the problem is not fixed
and you will only know that if:

1. You tested for it explicitly, or
2. You have a log-level 10 log and you see the token printed out and
it contains the correct set of groups.

> Same changes are required in winbindd_pam.c in winbindd_raw_kerberos_login
> without which netsamlog_cache.tdb is still not updating correct thing on
> running the command "wbinfo--krb5auth=user%password".
> But I am yet to try the trusted domain scenario. Will update if I am able to
> verify this as well.
> Thanks,
> Hemanth.
> On Sun, Jun 15, 2014 at 3:50 AM, Richard Sharpe
> <realrichardsharpe at> wrote:
>> On Sat, Jun 14, 2014 at 2:44 PM, Richard Sharpe
>> <realrichardsharpe at> wrote:
>> > For anyone following along at home the attached patch might work :-)
>> >
>> > It compiles, but I don't have a debug setup to test it with at the
>> > moment.
>> A fix for the obvious error ...
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂?唯有杜康。--曹操)

Richard Sharpe

More information about the samba-technical mailing list