[cifs-protocol] primaryGroupToken

[Sebastian Canevari]

Hi Andrew,

Thanks for your inquiry.

Someone from my team will be contacting you shortly to help you with this.

Thanks and regards,

Sebastian


Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Thursday, December 03, 2009 4:00 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; pfif at tridgell.net; Matthieu Patou
Subject: primaryGroupToken

MS-ADA3 2.120 claims:

Attribute primaryGroupToken
  This attribute specifies a computed attribute that is used in retrieving the membership list of a group
  such as Domain Users. The complete membership of such groups is not stored explicitly for scaling
  reasons. For more information refer to [MS-ADTS] section 3.1.1.4.5.11 and [MS-SAMR].

However,
MS-ADTS 3.1.1.4.5.11 claims:

primaryGroupToken
  Let TO be the object from which the primaryGroupToken attribute is being read.
  The value of TO!primaryGroupToken is the RID from TO!objectSid when there exists C in
  TO!objectClass such that C is the group class. Otherwise, no value is returned. That is, if TO is a
  group, then the value of this attribute is the RID from the group's SID. If TO is not a group, no
  value is returned when this attribute is read from TO.

The behaviour of Window 2008 appears to follow MS-ADTS.  That is, the primaryGroupToken appears to be the RID of the objectSID for all groups. 

Please advise, clarify or correct,

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.