Regarding retrieving user group membership using wbinfo.

Andrew Bartlett abartlet at samba.org
Fri Jun 13 03:16:21 MDT 2014 

On Fri, 2014-06-13 at 11:04 +0300, Alexander Bokovoy wrote:
> On Fri, Jun 13, 2014 at 4:44 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Thu, 2014-06-12 at 16:59 +0200, Volker Lendecke wrote:
> >> On Thu, Jun 12, 2014 at 10:55:17AM -0400, Simo wrote:
> >> > On Thu, 2014-06-12 at 07:48 -0700, Richard Sharpe wrote:
> >> > > No. It is not SID compression. If I am reading the IDL correctly, we
> >> > > think  PAC contains a SamInfo3, bit it does not. It contains most of a
> >> > > SamInfo4 but defines it own structure.
> >> >
> >> > There are 3/4 ways to lists SIDs in a PAC structure, one is the classic
> >> > way with only sids related to the domain, then a extra sid field with
> >> > sull SIDs not related to the domain, then a sid compression feature (to
> >> > reduce space, but still list extra sids) and I forgot if the Claim stuff
> >> > added a 4th way to lists SIDs or if it reuses one of the above.
> >> >
> >> > It certainly isn't Sam Info3 and hasn't been for quite a while.
> >>
> >> So a simple way to get this done is to expand
> >> PAC_LOGON_INFO.info3.sids with SIDs that are prefixed by
> >> PAC_LOGON_INFO.res_group_dom_sid extended with RIDs from
> >> PAC_LOGON_INFO.res_groups, right? Sounds like a pretty
> >> simple patch, the problem is -- where should we put it
> >> exactly? :-)
> >
> > Yes, I think this is the simplest option at the moment.  See my other
> > mail for the sorry history of this saga.
> >
> > I had been opposed to changing the structure contents from the
> > 'pristine' structure given by the DC, but all the alternatives are much
> > worse.
> >
> > As to where, I think that a common function should be called from
> > before:
> >
> > source3/winbindd/winbind_pam.c:winbindd_raw_kerberos_login()
> >         *info3 = &logon_info->info3;
> >
> > source3/winbindd/winbind_pam.c:winbindd_pam_auth_pac_send()
> >                 netsamlogon_cache_store(NULL, &logon_info->info3);
> >
> > source3/auth/auth_generic.c:auth3_generate_session_info_pac()
> >         /* save the PAC data if we have it */
> >         if (logon_info) {
> >                 netsamlogon_cache_store(ntuser, &logon_info->info3);
> >         }
> >
> > In short, we should not directly de-reference for the info3, we should
> > generate a new one with the expanded groups, and return that.
> As long as we don't get the PAC with expanded SIDs re-signed, it should be OK.
> Note that re-signing will happen over cross-realm trust boundary and
> there we better keep the original state of MS-PAC with RIDs to avoid
> various problems with kernel/userspace boundaries due to expanded size
> of the ticket.

I agree.  This all appears to be on the 'member server' consumer side,
the AD DC does things differently anyway (and always did read these
RIDs). 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list