Reliably looking up user's group membership SIDs
iboukris at gmail.com
Fri Mar 2 05:55:46 UTC 2018
We are having a discussion on FreeRadius mailing list on how to
improve AD group matching (including nested), in post authentication
The general idea is to save the SIDs returned by
wbcAuthenticateUserEx(), then translate group name from the policy to
its SID with wbcLookupName() and compare (or have SIDs in policy).
This seem to be working fine for mschap and plain auth, however this
leaves out eap-tls and other auth types. While in [MS-NRPC] it is
mentioned something about calling NetrLogonSamLogonEx() with an x509
certificate and get his token, I am not sure how it works and what it
requires ([see MS-RCMP]).
I've tried to use wbcLookupUserSids() (wbinfo --user-sids), but that
didn't work as expected. On domain member I always get an error, and
on a DC it seem to only returns direct membership. Not sure what it is
supposed to do and how.
Then I thought I to impersonate the user using machine credentials -
as any service principal can get a ticket for self (non-forwardable
S4U2self), so I could extract the PAC and pass it to
wbcAuthenticateUserEx() using WBC_AUTH_USER_LEVEL_PAC and get the SIDs
list, which worked ok.
At this point I also found: 'net ads kerberos pac dump -P impersonate=isaac'
Which makes it much easier to get a PAC for a given user via
impersonation (by saving it in file for instance).
However I was thinking maybe wbclient library could wrap this up for
the user, to make it easier to use with no need to get hands dirty
with machine creds etc (especially as net api isn't a library call).
Then in turn, wbinfo could use this functionality to display user's SIDs.
Here is how I suggest the API could look like (wip):
More information about the samba-technical