[PATCH] Small update to wbinfo --user-groups
asn at samba.org
Wed Feb 14 14:39:50 UTC 2018
On Wednesday, 14 February 2018 15:37:57 CET Volker Lendecke via samba-
> On Wed, Feb 14, 2018 at 02:03:04PM +0100, Andreas Schneider wrote:
> > On Wednesday, 14 February 2018 12:30:01 CET Volker Lendecke wrote:
> > > On Wed, Feb 14, 2018 at 12:13:33PM +0100, Andreas Schneider via samba-
> > technical wrote:
> > > > I've added the following tests to 'wbinfo --user-groups':
> > > >
> > > > NOTE: The information is retrieved using the machine account
> > > > credentials
> > > > with limited access permissions, the result may be incomplete or
> > > > incorrect!
> > > >
> > > > I get bug reports, that nested groups are not in the output. Those can
> > > > only be calculated during authentication.
> > > >
> > > >
> > > > Please review and push if OK.
> > >
> > > If we want to be precise: This info is supposed to be correct after a
> > > successful login, either via Kerberos or via NTLM, i.e. wbinfo -a.
> > > Also, you might want to describe that we cache successful logins
> > > indefinitely, so wbinfo -r will output stale information if group
> > > memberships change in AD and the user has not re-logged in after that
> > > change.
> > >
> > > Hope that helps,
> > Thanks for the feedback. I the updated patch ok? I'm using "authenticated"
> > should I use "logged in"?
> Sorry, this also does not mention anything like "authenticated". Wrong
Yes, wrong patch. Sorry.
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
-------------- next part --------------
>From 956d93bbc6a6d5fde1a173f6e4c647b02edc8df9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Wed, 14 Feb 2018 12:05:16 +0100
Subject: [PATCH] docs: Add a not that 'wbinfo --user-groups' may be incomplete
Signed-off-by: Andreas Schneider <asn at samba.org>
docs-xml/manpages/wbinfo.1.xml | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
index c427007be0f..e2042ca623a 100644
@@ -384,10 +384,35 @@
- <listitem><para>Try to obtain the list of UNIX group ids
- to which the user belongs. This only works for users
- defined on a Domain Controller.
+ Try to obtain the list of UNIX group ids to which the
+ user belongs. This only works for users defined on a
+ Domain Controller.
+ <para>There are two scenaries:</para>
+ User authenticated: When the user has been
+ authenticated, the access token for the user is
+ cached. The correct group memberships are then
+ returned from the cached user token (which can
+ be outdated).
+ User *NOT* authenticated: The information is
+ queries from the domain controller using the
+ machine account credentials which have limited
+ permissions. The result is normally incomplete
+ and can be also incorrect.
More information about the samba-technical