Bug 11362 - GPO security filtering based on the groups in Kerberos PAC (but primary group is missing)
Summary: GPO security filtering based on the groups in Kerberos PAC (but primary group...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.0rc3
Hardware: All All
: P5 normal (vote)
Target Milestone: 4.7
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
: 13136 (view as bug list)
Depends on:
Reported: 2015-06-25 11:15 UTC by Felix Botner
Modified: 2019-08-27 10:16 UTC (History)
5 users (show)

See Also:

0001-add-primary-group-to-groups-in-kerberos-pac.patch (2.44 KB, patch)
2015-06-25 11:16 UTC, Felix Botner
no flags Details
ad-pac.txt (22.68 KB, text/plain)
2015-06-25 11:17 UTC, Felix Botner
no flags Details
samba4-pac.txt (22.15 KB, text/plain)
2015-06-25 11:18 UTC, Felix Botner
no flags Details
Patches for v4-9-test (15.97 KB, patch)
2019-07-04 07:07 UTC, Stefan Metzmacher
abartlet: review+
asn: review+
Patches for v4-10-test (15.97 KB, patch)
2019-07-04 07:08 UTC, Stefan Metzmacher
abartlet: review+
asn: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner 2015-06-25 11:15:54 UTC
Samba version: 4.2.2
Windows Client: Win7
Windows Server: 2012 AD

I tried to set up a GPO security filter for a windows client with a samba4 server. The GPO security filter is basically a group, only members of that group are allowed to apply the policy. The group (filter) was the primary group of the client. But the GPO wasn't applied and "gpresult /R /SCOPE COMPUTER" on the client showed "permission denied" for the policy.

This works with a Windows AD Server 2012.

It seems that GPO security filtering is based on the groups in Kerberos PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY. So i "wiresharked" the kerberos traffic in the Windows AD and Samba4 setup.
In the AD setup, the GROUP_MEMBERSHIP_ARRAY contains the RID of the primary group (as you can see in the attached Kerberos AS-REP dump, ad-pac.txt).
But with Samba4, the primary group is missing ("(NULL pointer) GROUP_MEMBERSHIP_ARRAY", samba4-pac.txt).

The attached patch fixes this problem for us.

Basically the primary group is always added to the group list in "auth_convert_user_info_dc_sambaseinfo" (used to create the pac info data). And a check was added to make_user_info_dc_netlogon_validation (used to convert the pac info into a samba info object) to avoid putting the primary group in the group list twice.

The PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY in the Kerberos AS-REP in my Samba4 environment now contains the RID of the primary group (and so the output of "net ads kerberos pac dump" command)
Comment 1 Felix Botner 2015-06-25 11:16:39 UTC
Created attachment 11198 [details]
Comment 2 Felix Botner 2015-06-25 11:17:26 UTC
Created attachment 11199 [details]
Comment 3 Felix Botner 2015-06-25 11:18:25 UTC
Created attachment 11200 [details]
Comment 4 Stefan Metzmacher 2017-07-04 19:56:36 UTC
Remember this for 4.7.0
Comment 5 Mantas Mikulėnas (grawity) 2019-01-21 15:54:42 UTC
Ah, so that's why MS Certificate Services reports "Access Denied" despite 'Domain Computers' having enroll permissions but works fine with a custom group instead...

Any chance this might be remembered for 4.10.0?
Comment 6 Andrew Bartlett 2019-05-30 08:28:58 UTC
*** Bug 13136 has been marked as a duplicate of this bug. ***
Comment 7 Stefan Metzmacher 2019-07-04 07:07:35 UTC
Created attachment 15285 [details]
Patches for v4-9-test
Comment 8 Stefan Metzmacher 2019-07-04 07:08:24 UTC
Created attachment 15286 [details]
Patches for v4-10-test
Comment 9 Stefan Metzmacher 2019-07-31 13:49:11 UTC
Andrew can we get that into the next releases?
Comment 10 Andreas Schneider 2019-08-21 15:10:18 UTC
Karolin, could you please apply the patches to 4.9, 4.10 and 4.11 if not fixed already. Thanks!
Comment 11 Andrew Bartlett 2019-08-21 20:10:24 UTC
Comment on attachment 15286 [details]
Patches for v4-10-test

Sorry about missing the review requests.  This looks good.
Comment 12 Karolin Seeger 2019-08-23 08:43:23 UTC
(In reply to Andreas Schneider from comment #10)
Pushed to autobuild-v4-{10,9}-test.
Comment 13 Karolin Seeger 2019-08-27 10:16:19 UTC
(In reply to Karolin Seeger from comment #12)
Pushed to both branches.
Closing out bug report.