11362 – GPO security filtering based on the groups in Kerberos PAC (but primary group is missing)

Bug 11362 - GPO security filtering based on the groups in Kerberos PAC (but primary group is missing)

Summary: GPO security filtering based on the groups in Kerberos PAC (but primary group...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.10.0rc3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	4.7
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Duplicates (1):	13136 (view as bug list)
Depends on:
Blocks:

Reported:	2015-06-25 11:15 UTC by Felix Botner
Modified:	2019-08-27 10:16 UTC (History)
CC List:	5 users (show)

See Also:

Attachments
0001-add-primary-group-to-groups-in-kerberos-pac.patch (2.44 KB, patch) 2015-06-25 11:16 UTC, Felix Botner	no flags	Details
ad-pac.txt (22.68 KB, text/plain) 2015-06-25 11:17 UTC, Felix Botner	no flags	Details
samba4-pac.txt (22.15 KB, text/plain) 2015-06-25 11:18 UTC, Felix Botner	no flags	Details
Patches for v4-9-test (15.97 KB, patch) 2019-07-04 07:07 UTC, Stefan Metzmacher	abartlet: review+ asn: review+	Details
Patches for v4-10-test (15.97 KB, patch) 2019-07-04 07:08 UTC, Stefan Metzmacher	abartlet: review+ asn: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner 2015-06-25 11:15:54 UTC

Samba version: 4.2.2
Windows Client: Win7
Windows Server: 2012 AD

I tried to set up a GPO security filter for a windows client with a samba4 server. The GPO security filter is basically a group, only members of that group are allowed to apply the policy. The group (filter) was the primary group of the client. But the GPO wasn't applied and "gpresult /R /SCOPE COMPUTER" on the client showed "permission denied" for the policy.

This works with a Windows AD Server 2012.

It seems that GPO security filtering is based on the groups in Kerberos PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY. So i "wiresharked" the kerberos traffic in the Windows AD and Samba4 setup.
In the AD setup, the GROUP_MEMBERSHIP_ARRAY contains the RID of the primary group (as you can see in the attached Kerberos AS-REP dump, ad-pac.txt).
But with Samba4, the primary group is missing ("(NULL pointer) GROUP_MEMBERSHIP_ARRAY", samba4-pac.txt).

The attached patch fixes this problem for us.

Basically the primary group is always added to the group list in "auth_convert_user_info_dc_sambaseinfo" (used to create the pac info data). And a check was added to make_user_info_dc_netlogon_validation (used to convert the pac info into a samba info object) to avoid putting the primary group in the group list twice.

The PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY in the Kerberos AS-REP in my Samba4 environment now contains the RID of the primary group (and so the output of "net ads kerberos pac dump" command)

Comment 1 Felix Botner 2015-06-25 11:16:39 UTC

Created attachment 11198 [details]
0001-add-primary-group-to-groups-in-kerberos-pac.patch

Comment 2 Felix Botner 2015-06-25 11:17:26 UTC

Created attachment 11199 [details]
ad-pac.txt

Comment 3 Felix Botner 2015-06-25 11:18:25 UTC

Created attachment 11200 [details]
samba4-pac.txt

Comment 4 Stefan Metzmacher 2017-07-04 19:56:36 UTC

Remember this for 4.7.0

Comment 5 Mantas Mikulėnas (grawity) 2019-01-21 15:54:42 UTC

Ah, so that's why MS Certificate Services reports "Access Denied" despite 'Domain Computers' having enroll permissions but works fine with a custom group instead...

Any chance this might be remembered for 4.10.0?

Comment 6 Andrew Bartlett 2019-05-30 08:28:58 UTC

*** Bug 13136 has been marked as a duplicate of this bug. ***

Comment 7 Stefan Metzmacher 2019-07-04 07:07:35 UTC

Created attachment 15285 [details]
Patches for v4-9-test

Comment 8 Stefan Metzmacher 2019-07-04 07:08:24 UTC

Created attachment 15286 [details]
Patches for v4-10-test

Comment 9 Stefan Metzmacher 2019-07-31 13:49:11 UTC

Andrew can we get that into the next releases?

Comment 10 Andreas Schneider 2019-08-21 15:10:18 UTC

Karolin, could you please apply the patches to 4.9, 4.10 and 4.11 if not fixed already. Thanks!

Comment 11 Andrew Bartlett 2019-08-21 20:10:24 UTC

Comment on attachment 15286 [details]
Patches for v4-10-test

Sorry about missing the review requests.  This looks good.

Comment 12 Karolin Seeger 2019-08-23 08:43:23 UTC

(In reply to Andreas Schneider from comment #10)
Pushed to autobuild-v4-{10,9}-test.

Comment 13 Karolin Seeger 2019-08-27 10:16:19 UTC

(In reply to Karolin Seeger from comment #12)
Pushed to both branches.
Closing out bug report.

Thanks!