Regarding retrieving user group membership using wbinfo.
Simo
simo at samba.org
Thu Jun 12 08:27:59 MDT 2014
On Thu, 2014-06-12 at 15:40 +0200, Volker Lendecke wrote:
> On Thu, Jun 12, 2014 at 06:00:08AM -0700, Richard Sharpe wrote:
> > On Thu, Jun 12, 2014 at 5:05 AM, Hemanth Thummala
> > <hemanth.thummala at gmail.com> wrote:
> > > OK. I have found that group membership information is not complete when user
> > > tries to login using Kerberos.
> > >
> > > In case of Kerberos there is PAC_LOGON_INFO structure which is derived from
> > > user's ticket.
> > >
> > > Structure looks:
> > >
> > > struct PAC_LOGON_INFO {
> > > struct netr_SamInfo3 info3;
> > > struct dom_sid2 *res_group_dom_sid;/* [unique] */
> > > struct samr_RidWithAttributeArray res_groups;
> > > };
> >
> > The PAC is defined in MS-PAC. The above structure does not seem to
> > match anything in MS-PAC.
> >
> > Does the user belong to groups not in the same domain that their SID is from?
>
> It's highly likely that Samba's librpc/idl/krb5pac.idl gets
> the structure names different from what MS-PAC calls them.
> The content should be there however, possibly with different
> substructuring. I guess what we call res_groups might be
> called
>
> ULONG ResourceGroupCount;
> [size_is(ResourceGroupCount)]
> PGROUP_MEMBERSHIP ResourceGroupIds;
>
> in [MS-PAC]. And you're right, at least in master
> source3/auth/user_krb5.c we only look at the info3
> substruct, not the res_groups.
>
> Metze, do you have an idea what that really is about?
I think we do not support SID compression yet ... :-(
Simo.
More information about the samba-technical
mailing list