[cifs-protocol] How to get the expanded group memberships for a user

[Tom Jebo]

Stefan, 

Thanks for your request regarding Samba and expanded group memberships.  One of my team will contact you shortly to investigate. 

Best regards,
Tom Jebo
Senior Support Escalation Engineer
Microsoft Open Specification Documentation Support

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Thursday, November 12, 2009 8:47 AM
To: Interoperability Documentation Help; cifs-protocol at samba.org; pfif at tridgell.net
Subject: How to get the expanded group memberships for a user

Hi,

I'm trying to solve the following problem:

COMPUTERS-DOM has an outgoing forest trust to USERS-DOM.

Samba as a member server in COMPUTERS-DOM want to get fully expanded group memberships of user USERS-DOM\Administrator without knowing the password of USERS-DOM\Administrator.
(The best would be to get the whole PAC structure,  which we're getting if the user is authenticated via KRB5  of netr_LogonSamLogon).

With a 2-way forest trust that's no problem.
Samba can ask a DC of COMPUTER-DOM via LookupNames about the SID of USERS-DOM\Administrator.
Then Samba can use it's machine account and ask a DC of USERS-DOM via LDAP about the tokenGroups of the user (That's how Samba currently work).
The second way would be to use S4U2Self to get the PAC via a Krb5 Ticket.

But with a one-way trust only the LookupNames works, as the DC of COMPUTER-DOM will proxy the request to a DC of USERS-DOM using the trust account.

But Samba can't directly talk to a DC of USERS-DOM using it's machine account. So both LDAP and S4U2Self won't work.

I just found that DRSGetMemberships can also get the users groups. I hoped that it would behave like LookupNames and would be proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM. But I'm unable to trigger this.
Is that by design or am I doing something wrong (DRSGetMemberships works fine for the SID of COMPUTER-DOM\Administrator)?

Is there any other way to solve this Problem?

metze