[PR PATCH] idmap_rid: default group always set to "Domain Users"

Isaac Boukris iboukris at gmail.com
Wed Apr 18 06:52:36 UTC 2018

On Fri, Apr 13, 2018 at 5:59 PM, Volker Lendecke via samba-technical
<samba-technical at lists.samba.org> wrote:
> On Thu, Apr 12, 2018 at 09:47:55PM +0300, Uri Simchoni via samba-technical wrote:
>> The thing I'm less certain about is the "somehow". I'd guess an RPC to
>> the DC would do it correctly irrespective of the winbindd backend, but I
>> could be missing something here. In the original code we had a
>> _wbint_QueryUser to deal with that on a per-backend basis, and it was
>> removed in the series of commits that ended in
>> 319d60285c92bbf86bc0a3f872f9c9f9d0530129. I'm not sure we really need
>> this per-backend behavior though - all AD DC's support RPC, and the ad
>> backend already does lots of RPC, it's far from pure ldap (and rightly so).
> wbint_QueryUser would have to use samr. This can at best (if at all)
> with the domain we're member of. And even that is something we need to
> get rid of. Without a samlogon cache entry there is just no reliable
> way to get that done. The only way out is (I believe) a s4u2self

I am curious what samr-rpc you are referring to, that could resolve
user's sids in local domain.
The one I can see, queryusergroups, doesn't seem to provide nesting
group, only direct membership, like:
# rpcclient -UAdministrator wdc.acme.com -c 'queryusergroups 1105'

If there is a way to get group membership via rpc without auth, it may
have some advantage over krb5 which requires the client to talk to all
the DCs.
The only rpc I found, which sound like it should work according to doc
(MS-NRPC), is calling NetrLogonSamLogonEx with
NetlogonGenericInformation using a x509 certificate (which I tried to
test without much luck).

More information about the samba-technical mailing list