<html dir="ltr"><head></head><body style="text-align:left; direction:ltr;"><div>Christof,</div><div><br></div><div>Is the behaviour different on the Global Catalog port? Are both servers GC instances?</div><div><br></div><div>Andrew,</div><div><br></div><div>On Thu, 2022-09-29 at 23:02 +0000, Jeff McCashland (He/him) via cifs-protocol wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>[Obaid to BCC]</pre><pre><br></pre><pre>Hi Christof,</pre><pre><br></pre><pre>I will research your question and let you know what I find. </pre><pre><br></pre><pre>Best regards,</pre><pre>Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team </pre><pre>Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)</pre><pre>Local country phone number found here: </pre><a href="http://support.microsoft.com/globalenglish"><pre>http://support.microsoft.com/globalenglish</pre></a><pre> | Extension 1138300</pre><pre><br></pre><pre>-----Original Message-----</pre><pre>From: Obaid Farooqi <</pre><a href="mailto:obaidf@microsoft.com"><pre>obaidf@microsoft.com</pre></a><pre>> </pre><pre>Sent: Thursday, September 29, 2022 3:50 PM</pre><pre>To: Christof Schmitt <</pre><a href="mailto:cs@samba.org"><pre>cs@samba.org</pre></a><pre>></pre><pre>Cc: Microsoft Support <</pre><a href="mailto:supportmail@microsoft.com"><pre>supportmail@microsoft.com</pre></a><pre>>; </pre><a href="mailto:cifs-protocol@lists.samba.org"><pre>cifs-protocol@lists.samba.org</pre></a><pre><br></pre><pre>Subject: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412</pre><pre><br></pre><pre>Hi Christof:</pre><pre>Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.</pre><pre><br></pre><pre>Regards,</pre><pre>Obaid Farooqi</pre><pre>Escalation Engineer | Microsoft</pre><pre><br></pre><pre>-----Original Message-----</pre><pre>From: Christof Schmitt <</pre><a href="mailto:cs@samba.org"><pre>cs@samba.org</pre></a><pre>></pre><pre>Sent: Thursday, September 29, 2022 5:16 PM</pre><pre>To: Interoperability Documentation Help <</pre><a href="mailto:dochelp@microsoft.com"><pre>dochelp@microsoft.com</pre></a><pre>></pre><pre>Cc: </pre><a href="mailto:cifs-protocol@lists.samba.org"><pre>cifs-protocol@lists.samba.org</pre></a><pre><br></pre><pre>Subject: [EXTERNAL] [MS-ADTS] SID as DN alternative for querying groups by member</pre><pre><br></pre><pre>[Some people who received this message don't often get email from </pre><a href="mailto:cs@samba.org"><pre>cs@samba.org</pre></a><pre>. Learn why this is important at </pre><a href="https://aka.ms/LearnAboutSenderIdentification"><pre>https://aka.ms/LearnAboutSenderIdentification</pre></a><pre> ]</pre><pre><br></pre><pre>Hello Dochelp,</pre><pre><br></pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2F92a54869-38d7-4e71-a3be-5f67a0dcdd7e&data=05%7C01%7Cjeffm%40microsoft.com%7Ce876134ecd9f41a39e9f08daa26cec5c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638000885946988687%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Bwh5uFnMrvzdhcTSOjDNl2996z2qo79nA11JlzISidU%3D&reserved=0"><pre>https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2F92a54869-38d7-4e71-a3be-5f67a0dcdd7e&data=05%7C01%7Cjeffm%40microsoft.com%7Ce876134ecd9f41a39e9f08daa26cec5c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638000885946988687%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Bwh5uFnMrvzdhcTSOjDNl2996z2qo79nA11JlzISidU%3D&reserved=0</pre></a><pre><br></pre><pre>3.1.1.3.1.2.4 Alternative Forms of DNs</pre><pre><br></pre><pre>documents alternatives to using a DN in LDAP queries, e.g.:</pre><pre> <GUID=object_guid></pre><pre> <SID=sid></pre><pre><br></pre><pre>My understanding is that these can be used interchangeably.</pre><pre><br></pre><pre>Given an AD forest with two domains:</pre><pre>Parent domain: adprotocol9.com running on Windows Server 2019 Child domain: adprotocol10.adprotocol9.com running on Windows Server 2019</pre><pre><br></pre><pre>A User in child domain: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com</pre><pre><br></pre><pre>Groups in parent domain: adgroup839 and adgroup8392 where the above user is a direct member of both groups.</pre><pre><br></pre><pre>A Samba server that is joined to the parent domain and can issue LDAP queries, e.g. through the "net ads search" command.</pre><pre><br></pre><pre>In this environment, the user can be queried through LDAP:</pre><pre><br></pre><pre># net ads search -P 'cn=aduser8410' -S adprotocol10.adprotocol9.com distinguishedName objectGUID objectSid Got 1 replies</pre><pre><br></pre><pre>distinguishedName: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com</pre><pre>objectGUID: 5641cd8f-df84-498e-b840-4f46c41ea63a</pre><pre>objectSid: S-1-5-21-686935948-1127628631-3386349506-1104</pre><pre><br></pre><pre><br></pre><pre><br></pre><pre><br></pre><pre>The groups where the user is a member can be queried by the user's DN:</pre><pre><br></pre><pre># net ads search -P 'member=CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com' cn Got 2 replies</pre><pre><br></pre><pre>cn: adgroup839</pre><pre><br></pre><pre>cn: adgroup8392</pre><pre><br></pre><pre><br></pre><pre><br></pre><pre><br></pre><pre>The same query works with the documented alternate <GUID=...> syntax instead of the DN:</pre><pre><br></pre><pre># net ads search -P 'member=<GUID=5641cd8f-df84-498e-b840-4f46c41ea63a>' cn Got 2 replies</pre><pre><br></pre><pre>cn: adgroup839</pre><pre><br></pre><pre>cn: adgroup8392</pre><pre><br></pre><pre><br></pre><pre><br></pre><pre><br></pre><pre>But using the documented alternate <SID=...> syntax does not return the groups:</pre><pre><br></pre><pre># net ads search -P 'member=<SID=S-1-5-21-686935948-1127628631-3386349506-1104>' cn Got 0 replies</pre><pre><br></pre><pre><br></pre><pre><br></pre><pre><br></pre><pre>On the other hand, the <SID=...> syntax works when the user is in the same domain as the group:</pre><pre><br></pre><pre># net ads search -P cn=Administrator objectSid Got 1 replies</pre><pre><br></pre><pre>objectSid: S-1-5-21-3620267316-2463581073-2945356329-500</pre><pre><br></pre><pre># net ads search -P 'member=<SID=S-1-5-21-3620267316-2463581073-2945356329-500>' cn Got 5 replies</pre><pre><br></pre><pre>cn: Administrators</pre><pre><br></pre><pre>cn: Schema Admins</pre><pre><br></pre><pre>cn: Enterprise Admins</pre><pre><br></pre><pre>cn: Domain Admins</pre><pre><br></pre><pre>cn: Group Policy Creator Owners</pre><pre><br></pre><pre><br></pre><pre><br></pre><pre><br></pre><pre><br></pre><pre>Is there a limitation on using the <SID=...> syntax for querying groups by group members, when the member is in a different domain than the group? Should that be mentioned in the documentation?</pre><pre><br></pre><pre>Regards,</pre><pre><br></pre><pre>Christof</pre><pre><br></pre><pre>_______________________________________________</pre><pre>cifs-protocol mailing list</pre><a href="mailto:cifs-protocol@lists.samba.org"><pre>cifs-protocol@lists.samba.org</pre></a><pre><br></pre><a href="https://lists.samba.org/mailman/listinfo/cifs-protocol"><pre>https://lists.samba.org/mailman/listinfo/cifs-protocol</pre></a><pre><br></pre></blockquote><div><span><pre>-- <br></pre><div style="width: 71ch;">Andrew Bartlett (he/him) <a href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a></div><div style="width: 71ch;">Samba Team Member (since 2001) <a href="https://samba.org">https://samba.org</a></div><div style="width: 71ch;">Samba Team Lead, Catalyst IT <a href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a></div><div style="width: 71ch;"><br></div><div style="width: 71ch;">Samba Development and Support, Catalyst IT - Expert Open Source</div><div style="width: 71ch;">Solutions</div><div style="width: 71ch;"></div></span></div></body></html>