Bug 8510 - Netr_LogonSamLogon does not properly include groups on domain logon
Netr_LogonSamLogon does not properly include groups on domain logon
Status: RESOLVED DUPLICATE of bug 8455
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control
3.6.0
All All
: P3 major
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-07 13:01 UTC by Wilco Baan Hofman
Modified: 2011-10-13 13:49 UTC (History)
0 users

See Also:


Attachments
Logon process (48 bytes, text/plain)
2011-10-07 13:17 UTC, Wilco Baan Hofman
no flags Details
The capture of the network traffic between 2008R2 and Samba 3.6.0 (52 bytes, text/plain)
2011-10-11 09:49 UTC, Wilco Baan Hofman
no flags Details
The related log.smbd at level 10 (2.08 MB, text/plain)
2011-10-11 14:54 UTC, Wilco Baan Hofman
no flags Details
Log file at level 10 (35 bytes, text/plain)
2011-10-11 15:04 UTC, Wilco Baan Hofman
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Wilco Baan Hofman 2011-10-07 13:01:01 UTC
Upon logon, windows requests the group memberships of a user to determine what rights to assign. I am not assigned any of the rights and cannot log in using terminal server.

However:
net user %username% /domain <- works
net group "Domain Admins" /domain <- works

According to wireshark, the SAMR GetGroupsforUser call gives a malformed answer.
Response is packet 20458 at 10.1837s
Comment 1 Wilco Baan Hofman 2011-10-07 13:17:05 UTC
Created attachment 6979 [details]
Logon process
Comment 2 Wilco Baan Hofman 2011-10-11 09:49:17 UTC
Created attachment 6983 [details]
The capture of the network traffic between 2008R2 and Samba 3.6.0

Created another attachment, as the start of the TCP session was missing in the other capture. For some reason, wireshark on my laptop parses the packet fine (not the wireshark I made the capture with), suggesting the bug is not in the getgroupsforuser call.
Comment 3 Wilco Baan Hofman 2011-10-11 14:54:25 UTC
Created attachment 6984 [details]
The related log.smbd at level 10
Comment 4 Guenther Deschner 2011-10-11 14:58:47 UTC
no samlogon in that log, please reboot client and retry.
Comment 5 Wilco Baan Hofman 2011-10-11 15:04:00 UTC
Created attachment 6985 [details]
Log file at level 10

New log file, see line 14851
Comment 6 Wilco Baan Hofman 2011-10-11 15:06:46 UTC
Okay, the groups rid array is empty in the Netr_LogonSamLogon response is empty. 

This does work via Samr_GetGroupsForUser (net user .. /domain on windows).
Comment 7 Wilco Baan Hofman 2011-10-13 12:34:31 UTC
It appears to fail in samu_to_SamInfo3, the resulting rids are not stored. It appears that pdb_enum_group_memberships works as expected, but the compiler seems to optimize out the return values for some reason.

441		status = pdb_enum_group_memberships(mem_ctx, samu,
(gdb) 
444		if (!NT_STATUS_IS_OK(status)) {
(gdb) print group_sids
$40 = <optimized out>
(gdb) print gids
$41 = <optimized out>
(gdb) next
450		if (num_group_sids) {
(gdb) 
451			status = group_sids_to_info3(info3, group_sids, num_group_sids);
(gdb) step
group_sids_to_info3 (num_sids=<optimized out>, sids=<optimized out>, info3=<optimized out>) at auth/server_info.c:267
267		groups->rids = talloc_array(info3,
(gdb) next
samu_to_SamInfo3 (mem_ctx=<optimized out>, samu=0x7ffff8282210, login_server=<optimized out>, _info3=<optimized out>, extra=0x7ffff828abb0) at auth/server_info.c:451
451			status = group_sids_to_info3(info3, group_sids, num_group_sids);
(gdb) step
group_sids_to_info3 (num_sids=<optimized out>, sids=<optimized out>, info3=<optimized out>) at auth/server_info.c:264
264		domain_sid = info3->base.domain_sid;
(gdb) next
267		groups->rids = talloc_array(info3,
(gdb) next
269		if (!groups->rids) {
(gdb) print groups
$42 = <optimized out>
Comment 8 Wilco Baan Hofman 2011-10-13 13:48:30 UTC
The problem is that group_sids_to_info3 can't verify the group because the domain sid is unavailable.

Volker fixed this in commit 3dcec44f3edbc9c4f1946ead3480f6d01cd53e7a

This bug is apparently a duplicate of bug 8455.
Comment 9 Wilco Baan Hofman 2011-10-13 13:49:31 UTC

*** This bug has been marked as a duplicate of bug 8455 ***