The Samba-Bugzilla – Bug 11362
GPO security filtering based on the groups in Kerberos PAC (but primary group is missing)
Last modified: 2015-07-31 08:38:25 UTC
Samba version: 4.2.2
Windows Client: Win7
Windows Server: 2012 AD
I tried to set up a GPO security filter for a windows client with a samba4 server. The GPO security filter is basically a group, only members of that group are allowed to apply the policy. The group (filter) was the primary group of the client. But the GPO wasn't applied and "gpresult /R /SCOPE COMPUTER" on the client showed "permission denied" for the policy.
This works with a Windows AD Server 2012.
It seems that GPO security filtering is based on the groups in Kerberos PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY. So i "wiresharked" the kerberos traffic in the Windows AD and Samba4 setup.
In the AD setup, the GROUP_MEMBERSHIP_ARRAY contains the RID of the primary group (as you can see in the attached Kerberos AS-REP dump, ad-pac.txt).
But with Samba4, the primary group is missing ("(NULL pointer) GROUP_MEMBERSHIP_ARRAY", samba4-pac.txt).
The attached patch fixes this problem for us.
Basically the primary group is always added to the group list in "auth_convert_user_info_dc_sambaseinfo" (used to create the pac info data). And a check was added to make_user_info_dc_netlogon_validation (used to convert the pac info into a samba info object) to avoid putting the primary group in the group list twice.
The PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY in the Kerberos AS-REP in my Samba4 environment now contains the RID of the primary group (and so the output of "net ads kerberos pac dump" command)
Created attachment 11198 [details]
Created attachment 11199 [details]
Created attachment 11200 [details]