[cifs-protocol] How to get the expanded group memberships for a user

Stefan (metze) Metzmacher metze at samba.org
Thu Nov 12 06:47:17 MST 2009


I'm trying to solve the following problem:

COMPUTERS-DOM has an outgoing forest trust to USERS-DOM.

Samba as a member server in COMPUTERS-DOM want to get
fully expanded group memberships of user USERS-DOM\Administrator
without knowing the password of USERS-DOM\Administrator.
(The best would be to get the whole PAC structure,
 which we're getting if the user is authenticated via KRB5
 of netr_LogonSamLogon).

With a 2-way forest trust that's no problem.
Samba can ask a DC of COMPUTER-DOM via LookupNames
about the SID of USERS-DOM\Administrator.
Then Samba can use it's machine account and ask
a DC of USERS-DOM via LDAP about the tokenGroups of the user
(That's how Samba currently work).
The second way would be to use S4U2Self to get the PAC via a Krb5 Ticket.

But with a one-way trust only the LookupNames works,
as the DC of COMPUTER-DOM will proxy the request
to a DC of USERS-DOM using the trust account.

But Samba can't directly talk to a DC of USERS-DOM using
it's machine account. So both LDAP and S4U2Self won't work.

I just found that DRSGetMemberships can also get the
users groups. I hoped that it would behave like
LookupNames and would be proxied by the DC of COMPUTER-DOM
to a DC of USERS-DOM. But I'm unable to trigger this.
Is that by design or am I doing something wrong (DRSGetMemberships
works fine for the SID of COMPUTER-DOM\Administrator)?

Is there any other way to solve this Problem?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20091112/d7408646/attachment-0001.pgp>

More information about the cifs-protocol mailing list