[cifs-protocol] How to get the expanded group memberships for a user

Edgar Olougouna edgaro at microsoft.com
Tue Dec 8 08:20:39 MST 2009 

Metze,

Thank you for your inquiry. Please find below the answers for your questions. 

1)	When calling DRSGetMemberships to get the user’s group memberships, DRSGetMemberships is not proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM in the cross-forest trust scenario you described.

2)	It is by design that the DRSGetMemberships reverse membership derivation only occurs for an object that is local to the DC of COMPUTER-DOM (unlike LookupNames that would be proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM).

3)	This explains why you were able to use DRSGetMemberships and lookup memberships for the SID of COMPUTER-DOM\Administrator. 

Let us know whether you have further questions on this topic.

Best regards,
Edgar


-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Thursday, November 12, 2009 7:47 AM
To: Interoperability Documentation Help; cifs-protocol at samba.org; pfif at tridgell.net
Subject: How to get the expanded group memberships for a user

Hi,

I'm trying to solve the following problem:

COMPUTERS-DOM has an outgoing forest trust to USERS-DOM.

Samba as a member server in COMPUTERS-DOM want to get fully expanded group memberships of user USERS-DOM\Administrator without knowing the password of USERS-DOM\Administrator.
(The best would be to get the whole PAC structure,  which we're getting if the user is authenticated via KRB5  of netr_LogonSamLogon).

With a 2-way forest trust that's no problem.
Samba can ask a DC of COMPUTER-DOM via LookupNames about the SID of USERS-DOM\Administrator.
Then Samba can use it's machine account and ask a DC of USERS-DOM via LDAP about the tokenGroups of the user (That's how Samba currently work).
The second way would be to use S4U2Self to get the PAC via a Krb5 Ticket.

But with a one-way trust only the LookupNames works, as the DC of COMPUTER-DOM will proxy the request to a DC of USERS-DOM using the trust account.

But Samba can't directly talk to a DC of USERS-DOM using it's machine account. So both LDAP and S4U2Self won't work.

I just found that DRSGetMemberships can also get the users groups. I hoped that it would behave like LookupNames and would be proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM. But I'm unable to trigger this.
Is that by design or am I doing something wrong (DRSGetMemberships works fine for the SID of COMPUTER-DOM\Administrator)?

Is there any other way to solve this Problem?

metze

More information about the cifs-protocol mailing list