Bug 11362 - GPO security filtering based on the groups in Kerberos PAC (but primary group is missing)
GPO security filtering based on the groups in Kerberos PAC (but primary group...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 normal
: 4.7
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2015-06-25 11:15 UTC by Felix Botner
Modified: 2017-07-04 19:56 UTC (History)
3 users (show)

See Also:

0001-add-primary-group-to-groups-in-kerberos-pac.patch (2.44 KB, patch)
2015-06-25 11:16 UTC, Felix Botner
no flags Details
ad-pac.txt (22.68 KB, text/plain)
2015-06-25 11:17 UTC, Felix Botner
no flags Details
samba4-pac.txt (22.15 KB, text/plain)
2015-06-25 11:18 UTC, Felix Botner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner 2015-06-25 11:15:54 UTC
Samba version: 4.2.2
Windows Client: Win7
Windows Server: 2012 AD

I tried to set up a GPO security filter for a windows client with a samba4 server. The GPO security filter is basically a group, only members of that group are allowed to apply the policy. The group (filter) was the primary group of the client. But the GPO wasn't applied and "gpresult /R /SCOPE COMPUTER" on the client showed "permission denied" for the policy.

This works with a Windows AD Server 2012.

It seems that GPO security filtering is based on the groups in Kerberos PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY. So i "wiresharked" the kerberos traffic in the Windows AD and Samba4 setup.
In the AD setup, the GROUP_MEMBERSHIP_ARRAY contains the RID of the primary group (as you can see in the attached Kerberos AS-REP dump, ad-pac.txt).
But with Samba4, the primary group is missing ("(NULL pointer) GROUP_MEMBERSHIP_ARRAY", samba4-pac.txt).

The attached patch fixes this problem for us.

Basically the primary group is always added to the group list in "auth_convert_user_info_dc_sambaseinfo" (used to create the pac info data). And a check was added to make_user_info_dc_netlogon_validation (used to convert the pac info into a samba info object) to avoid putting the primary group in the group list twice.

The PAC_LOGON_INFO:GROUP_MEMBERSHIP_ARRAY in the Kerberos AS-REP in my Samba4 environment now contains the RID of the primary group (and so the output of "net ads kerberos pac dump" command)
Comment 1 Felix Botner 2015-06-25 11:16:39 UTC
Created attachment 11198 [details]
Comment 2 Felix Botner 2015-06-25 11:17:26 UTC
Created attachment 11199 [details]
Comment 3 Felix Botner 2015-06-25 11:18:25 UTC
Created attachment 11200 [details]
Comment 4 Stefan Metzmacher 2017-07-04 19:56:36 UTC
Remember this for 4.7.0