Reliably looking up user's group membership SIDs

Stefan Metzmacher metze at
Thu Mar 8 11:39:17 UTC 2018

Am 04.03.2018 um 21:21 schrieb Isaac Boukris via samba-technical:
> On Fri, Mar 2, 2018 at 7:55 AM, Isaac Boukris <iboukris at> wrote:
>> Suggestion:
>> However I was thinking maybe wbclient library could wrap this up for
>> the user, to make it easier to use with no need to get hands dirty
>> with machine creds etc (especially as net api isn't a library call).
>> Then in turn, wbinfo could use this functionality to display user's SIDs.
>> Here is how I suggest the API could look like (wip):
> I think a TLDR version is: would it make sense for
> wbcAuthenticateUserEx() (or wbclient api) to provide a new
> 'impersonate' level similar to WBC_AUTH_USER_LEVEL_PAC but only
> requiring the username instead of a PAC, while the winbindd backend
> will get the PAC via impersonation using machine account?
> This could allow wbinfo client (as root) and other services to get
> user's info and relevant membership SIDs (or are there better
> alternatives?).

I like the idea!

But I see problems in the S4U2Self implementations
of Heimdal and MIT. E.g. Heimdal currently only supports S4U2Self for
services in the primary domain. MIT doesn't support S4U2Self with
enterprice principals.

In both cases we don't have control over the DCs which are used
while traversing the trust chain. And DNS misconfiguration, as
well as firewall could case kerberos library calls to hang forever
(were only SIGKILL could remove the process).

I think the way to implement S4U2Self reliable would be to use
krb5_{init,tkt}_creds_step(). This would keep the crypto
part handled by the kerberos library, while the networking part
(side aware dns lookups and tcp handling) would be done by samba
code, which already has the required infrastructure to handle async
network io and proper timeout handling.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list