SID Compression and member servers ...

Hemanth Thummala hemanth.thummala at gmail.com
Mon Jun 16 10:56:49 MDT 2014 

I haven't tested with directory access. But I have verified through the log
that all group information(including domain local group) is retrieved  and
updated netsamlogon_cache.tdb correctly. Will also verify using directory
access.

Thanks,
Hemanth.


On Mon, Jun 16, 2014 at 6:50 PM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:

> On Mon, Jun 16, 2014 at 3:55 AM, Hemanth Thummala
> <hemanth.thummala at gmail.com> wrote:
> > I have tested these changes (applied to our 3.6 sources). Fix is working
> > fine. Able to retrieve the full group membership even after user logs in
> > using Kerberos.
>
> OK, this is good. Now, being able to retrieve the full group
> membership with wbinfo is good, the real test is access permissions.
>
> Did you create a directory that allows the creation of files, for
> example, only with membership in one of those groups.
>
> If the groups did not get into the token then the problem is not fixed
> and you will only know that if:
>
> 1. You tested for it explicitly, or
> 2. You have a log-level 10 log and you see the token printed out and
> it contains the correct set of groups.
>
> > Same changes are required in winbindd_pam.c in
> winbindd_raw_kerberos_login
> > without which netsamlog_cache.tdb is still not updating correct thing on
> > running the command "wbinfo--krb5auth=user%password".
> >
> > But I am yet to try the trusted domain scenario. Will update if I am
> able to
> > verify this as well.
> >
> > Thanks,
> > Hemanth.
> >
> >
> > On Sun, Jun 15, 2014 at 3:50 AM, Richard Sharpe
> > <realrichardsharpe at gmail.com> wrote:
> >>
> >> On Sat, Jun 14, 2014 at 2:44 PM, Richard Sharpe
> >> <realrichardsharpe at gmail.com> wrote:
> >> > For anyone following along at home the attached patch might work :-)
> >> >
> >> > It compiles, but I don't have a debug setup to test it with at the
> >> > moment.
> >>
> >> A fix for the obvious error ...
> >>
> >> --
> >> Regards,
> >> Richard Sharpe
> >> (何以解憂?唯有杜康。--曹操)
> >
> >
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>

More information about the samba-technical mailing list