Reliably looking up user's group membership SIDs

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Mar 4 20:52:24 UTC 2018

On Sun, Mar 04, 2018 at 10:21:38PM +0200, Isaac Boukris via samba-technical wrote:
> I think a TLDR version is: would it make sense for
> wbcAuthenticateUserEx() (or wbclient api) to provide a new
> 'impersonate' level similar to WBC_AUTH_USER_LEVEL_PAC but only
> requiring the username instead of a PAC, while the winbindd backend
> will get the PAC via impersonation using machine account?
> This could allow wbinfo client (as root) and other services to get
> user's info and relevant membership SIDs (or are there better
> alternatives?).

Sounds good. It's just that someone has to do it.


Besuchen Sie die verinice.XP 2018 in Berlin,
Anwenderkonferenz für Informationssicherheit
vom 21.-23.03.2018 im Sofitel Kurfürstendamm
Info & Anmeldung hier:

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list