Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong SIDs returned in PacLogonInfo.resourceGroupSids #61

Open
Simone3431 opened this issue Jan 31, 2024 · 1 comment · May be fixed by #66
Open

Wrong SIDs returned in PacLogonInfo.resourceGroupSids #61

Simone3431 opened this issue Jan 31, 2024 · 1 comment · May be fixed by #66

Comments

@Simone3431
Copy link

Hi,

First of all thanks for all the work, it really saved me some time. Especially the SID retrieval part directly from the kerberos ticket.

Looking into that, I seem to have an issue on my end. Not sure where it comes from and if it could be an issue from the ticket decoding. When looking at the SID retrieved from a user of my app, I get some stuff in the resourceGroupSids part of the PacLogonInfo. These info are the local/applicative rights related to the user so that's good, but it seems the SIDs retrieved are not entirely correct.

Here's an example of what I've got (no real data):

  • SID registered in the AD (retrieved otherwise, so the true one) : S-1-X-12-12345-12345-12345-9999
  • SID retrieved in resourceGroupSids : S-1-X-12-12345-12345-12345-12-12345-12345-12345-9999

Basically it seems some data is duplicated while constructing the SID. In summary I have :
-> correct SID: S-1-X-SOMESTUFF-9999
-> SID in resourceGroupSids: S-1-X-SOMESTUFF-SOMESTUFF-9999

I'm not too familiar with all these mechanisms, so I don't know if something is indeed wrong here of if I'm mistaken somehow?
I checked for SIDs retrieved in PacLogonInfo groupSids and these ones are correct.

Cheers,
Sylvain
@cluck
Copy link

cluck commented Mar 25, 2025

I have the same issue, and it seems to be related to Resource SID Compression.

It looks like SIDs get "de-compressed" twice, once only when compression is detected:

kerb4j/kerb4j-server/kerb4j-server-common/src/main/java/com/kerb4j/server/marshall/pac/PacLogonInfo.java

Lines 180 to 182 in 4b23c07

int attributes = (int) pacStream.readInt();
PacSid relativeSid = PacSid.createFromSubs(relativeId);
PacSid id = PacSid.append(resourceDomainId, relativeSid);

and (in all cases) again later on:

kerb4j/kerb4j-server/kerb4j-server-common/src/main/java/com/kerb4j/server/marshall/pac/PacLogonInfo.java

Lines 209 to 214 in 4b23c07

// Compute Resource Group IDs with Resource Domain ID to get SIDs
resourceGroupSids = new PacSid[resourceGroups.length];
for (int i = 0; i < resourceGroups.length; i++) {
resourceGroupSids[i] = PacSid.append(resourceDomainId, resourceGroups[i].getId());
}

I think this leads to bad Resource SIDs in both cases.

@cluck cluck linked a pull request Mar 25, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not 'decompress' Resource SIDs twice cluck/kerb4j
2 participants
@cluck @Simone3431