[Patch] Bug 11362 primary group missing in kerberos PAC GROUP_MEMBERSHIP_ARRAY

Andrew Bartlett abartlet at samba.org
Thu Jun 25 18:36:03 MDT 2015


On Thu, 2015-06-25 at 14:09 +0200, Felix Botner wrote:
> Hi,
> 
> this patch adds the primary group to the kerberos PAC_LOGON_INFO
> GROUP_MEMBERSHIP_ARRAY.
> 
> GPO security filtering is based on the groups in the kerberos pac.
> If the primary group is missing and the security filter is the 
> primary group, the GPO can not be applied.
> 
> More information can be found on https://bugzilla.samba.org/show_bug.cgi?id=11362

This looks really interesting.  What we need is a couple of tests:
 - a manual test to confirm that this behaviour is the same over
SamLogon on NETLOGON
 - the addition of an automated test, using net ads kerberos pac dump.  

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list