Samba version: 4.2.2 Windows Client: Win7 Windows Server: 2012 AD I tried to set up a GPO security filter for a windows client with a samba4 server. The GPO security filter is basically a group, only members of that group are allowed to apply the policy. The group (filter) was the primary group of the client. But the GPO wasn't applied and "gpresult /R /SCOPE COMPUTER" on the client showed "permission denied" for the policy. This works with a Windows AD Server 2012. It seems that GPO security filtering is based on the groups in Kerberos PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY. So i "wiresharked" the kerberos traffic in the Windows AD and Samba4 setup. In the AD setup, the GROUP_MEMBERSHIP_ARRAY contains the RID of the primary group (as you can see in the attached Kerberos AS-REP dump, ad-pac.txt). But with Samba4, the primary group is missing ("(NULL pointer) GROUP_MEMBERSHIP_ARRAY", samba4-pac.txt). The attached patch fixes this problem for us. Basically the primary group is always added to the group list in "auth_convert_user_info_dc_sambaseinfo" (used to create the pac info data). And a check was added to make_user_info_dc_netlogon_validation (used to convert the pac info into a samba info object) to avoid putting the primary group in the group list twice. The PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY in the Kerberos AS-REP in my Samba4 environment now contains the RID of the primary group (and so the output of "net ads kerberos pac dump" command)
Created attachment 11198 [details] 0001-add-primary-group-to-groups-in-kerberos-pac.patch
Created attachment 11199 [details] ad-pac.txt
Created attachment 11200 [details] samba4-pac.txt
Remember this for 4.7.0
Ah, so that's why MS Certificate Services reports "Access Denied" despite 'Domain Computers' having enroll permissions but works fine with a custom group instead... Any chance this might be remembered for 4.10.0?
*** Bug 13136 has been marked as a duplicate of this bug. ***
Created attachment 15285 [details] Patches for v4-9-test
Created attachment 15286 [details] Patches for v4-10-test
Andrew can we get that into the next releases?
Karolin, could you please apply the patches to 4.9, 4.10 and 4.11 if not fixed already. Thanks!
Comment on attachment 15286 [details] Patches for v4-10-test Sorry about missing the review requests. This looks good.
(In reply to Andreas Schneider from comment #10) Pushed to autobuild-v4-{10,9}-test.
(In reply to Karolin Seeger from comment #12) Pushed to both branches. Closing out bug report. Thanks!