[cifs-protocol] primaryGroupToken
Edgar Olougouna
edgaro at microsoft.com
Mon Dec 14 17:14:11 MST 2009
Andrew,
Your observation regarding the primaryGroupToken attribute is right. We have reviewed and updated the definition in MS-ADA3. The update will appear in a future release of the document.
Current MS-ADA3
2.120 Attribute primaryGroupToken
This attribute specifies a computed attribute that is used in retrieving the membership list of a group such as Domain Users. The complete membership of such groups is not stored explicitly for scaling reasons. For more information refer to [MS-ADTS] section 3.1.1.4.5.11 and [MS-SAMR].
MS-ADA3 update similar to:
2.120 Attribute primaryGroupToken
This attribute specifies a computed attribute that is the relative identifier (RID) of the group's SID. For more information refer to [MS-ADTS] section 3.1.1.4.5.11 and [MS-SAMR].
Thanks for helping us improve the MS-ADA3 documentation.
Best regards,
Edgar
-----Original Message-----
From: Edgar Olougouna
Sent: Friday, December 04, 2009 9:09 AM
To: 'Andrew Bartlett'
Cc: 'cifs-protocol at samba.org'; 'pfif at tridgell.net'; 'Matthieu Patou'
Subject: RE: primaryGroupToken
Andrew,
I am looking into this and will keep you updated with my progress.
Best regards,
Edgar A. Olougouna
Sr. SEE, Microsoft DSC Protocol Team
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, December 03, 2009 4:00 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org; pfif at tridgell.net; Matthieu Patou
Subject: primaryGroupToken
MS-ADA3 2.120 claims:
Attribute primaryGroupToken
This attribute specifies a computed attribute that is used in retrieving the membership list of a group
such as Domain Users. The complete membership of such groups is not stored explicitly for scaling
reasons. For more information refer to [MS-ADTS] section 3.1.1.4.5.11 and [MS-SAMR].
However,
MS-ADTS 3.1.1.4.5.11 claims:
primaryGroupToken
Let TO be the object from which the primaryGroupToken attribute is being read.
The value of TO!primaryGroupToken is the RID from TO!objectSid when there exists C in
TO!objectClass such that C is the group class. Otherwise, no value is returned. That is, if TO is a
group, then the value of this attribute is the RID from the group's SID. If TO is not a group, no
value is returned when this attribute is read from TO.
The behaviour of Window 2008 appears to follow MS-ADTS. That is, the primaryGroupToken appears to be the RID of the objectSID for all groups.
Please advise, clarify or correct,
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the cifs-protocol
mailing list