[PATCH] Adds support for Resource SID Compression a new Windows Server 2012 KDC feature
Andrew Bartlett
abartlet at samba.org
Mon Apr 1 14:51:17 MDT 2013
On Mon, 2013-04-01 at 17:25 +0200, Markus Baier wrote:
> Hello,
>
> after studying the MS-KILE - v20130118 technical documentation
> especially page 46
> I have written a improved version of the patch.
>
> Now it takes care, if the ResourceGroupDomainSid and the DomainSid
> are different.
> Than it emulates the compatibility mode, which
> a Windows Server 2012 KDC use if the resource sid compression
> feature is disabled on the KDC.
>
> If the two SIDs are diffrent, I copy the RIDs from the
> ResourceGroupIds field as SIDs in the ExtraSids field.
> But if the ResourceGroupDomainSid and the DomainSid are identical,
> then I only copy the RIDs from the ResourceGroupIds field
> into the GroupIDs field to reduce the needed memory size.
>
>
> Best Regards
> Markus Baier
>
This is the wrong place to handle this. It should be handled where we
read the SIDs from the 'info3', not at some middle point. Otherwise,
this might be fixed for wbinfo interactions, but not CIFS logins
directly accepting the PAC (for example).
Sadly this seems to make the patch's task much more complex, as we
hand-encode and then parse the info3 as a text string in the wbinfo
library :-(
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list