Re: [cifs-protocol] How to get the expanded group memberships for a user
Metze, Thank you for your inquiry. Please find below the answers for your questions. 1) When calling DRSGetMemberships to get the user’s group memberships, DRSGetMemberships is not proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM in the cross-forest trust scenario you described. 2) It is by design that the DRSGetMemberships reverse membership derivation only occurs for an object that is local to the DC of COMPUTER-DOM (unlike LookupNames that would be proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM). 3) This explains why you were able to use DRSGetMemberships and lookup memberships for the SID of COMPUTER-DOM\Administrator. Let us know whether you have further questions on this topic. Best regards, Edgar -Original Message- From: Stefan (metze) Metzmacher [mailto:me...@samba.org] Sent: Thursday, November 12, 2009 7:47 AM To: Interoperability Documentation Help; cifs-proto...@samba.org; p...@tridgell.net Subject: How to get the expanded group memberships for a user Hi, I'm trying to solve the following problem: COMPUTERS-DOM has an outgoing forest trust to USERS-DOM. Samba as a member server in COMPUTERS-DOM want to get fully expanded group memberships of user USERS-DOM\Administrator without knowing the password of USERS-DOM\Administrator. (The best would be to get the whole PAC structure, which we're getting if the user is authenticated via KRB5 of netr_LogonSamLogon). With a 2-way forest trust that's no problem. Samba can ask a DC of COMPUTER-DOM via LookupNames about the SID of USERS-DOM\Administrator. Then Samba can use it's machine account and ask a DC of USERS-DOM via LDAP about the tokenGroups of the user (That's how Samba currently work). The second way would be to use S4U2Self to get the PAC via a Krb5 Ticket. But with a one-way trust only the LookupNames works, as the DC of COMPUTER-DOM will proxy the request to a DC of USERS-DOM using the trust account. But Samba can't directly talk to a DC of USERS-DOM using it's machine account. So both LDAP and S4U2Self won't work. I just found that DRSGetMemberships can also get the users groups. I hoped that it would behave like LookupNames and would be proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM. But I'm unable to trigger this. Is that by design or am I doing something wrong (DRSGetMemberships works fine for the SID of COMPUTER-DOM\Administrator)? Is there any other way to solve this Problem? metze ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] How to get the expanded group memberships for a user
Hi Edgar, I am looking into this and will update you on my progress. Any updates? metze signature.asc Description: OpenPGP digital signature ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] How to get the expanded group memberships for a user
Hi Stefan, We are actively working on this issue. I will update you as soon as I have news. Best regards, Edgar -Original Message- From: Stefan (metze) Metzmacher [mailto:me...@samba.org] Sent: Friday, November 20, 2009 2:56 AM To: Edgar Olougouna Cc: 'cifs-proto...@samba.org'; 'p...@tridgell.net' Subject: Re: How to get the expanded group memberships for a user Hi Edgar, I am looking into this and will update you on my progress. Any updates? metze ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] How to get the expanded group memberships for a user
Hi Stefan, I am looking into this and will update you on my progress. Best regards, Edgar A. Olougouna Sr. SEE, Microsoft DSC Protocol Team -Original Message- From: Stefan (metze) Metzmacher [mailto:me...@samba.org] Sent: Thursday, November 12, 2009 7:47 AM To: Interoperability Documentation Help; cifs-proto...@samba.org; p...@tridgell.net Subject: How to get the expanded group memberships for a user Hi, I'm trying to solve the following problem: COMPUTERS-DOM has an outgoing forest trust to USERS-DOM. Samba as a member server in COMPUTERS-DOM want to get fully expanded group memberships of user USERS-DOM\Administrator without knowing the password of USERS-DOM\Administrator. (The best would be to get the whole PAC structure, which we're getting if the user is authenticated via KRB5 of netr_LogonSamLogon). With a 2-way forest trust that's no problem. Samba can ask a DC of COMPUTER-DOM via LookupNames about the SID of USERS-DOM\Administrator. Then Samba can use it's machine account and ask a DC of USERS-DOM via LDAP about the tokenGroups of the user (That's how Samba currently work). The second way would be to use S4U2Self to get the PAC via a Krb5 Ticket. But with a one-way trust only the LookupNames works, as the DC of COMPUTER-DOM will proxy the request to a DC of USERS-DOM using the trust account. But Samba can't directly talk to a DC of USERS-DOM using it's machine account. So both LDAP and S4U2Self won't work. I just found that DRSGetMemberships can also get the users groups. I hoped that it would behave like LookupNames and would be proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM. But I'm unable to trigger this. Is that by design or am I doing something wrong (DRSGetMemberships works fine for the SID of COMPUTER-DOM\Administrator)? Is there any other way to solve this Problem? metze ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
