[cifs-protocol] How to RODCs get their membership of the ENTERPRISE_RODCs group

[Andrew Bartlett]

We are working on having Samba support having Win2k8 servers as read
only domain controller in the Samba4 domain. 

We noticed that RODCs are given primaryGroupID of 521 - the RODC group
for the local domain.  This happens when they join over LDAP (we can't
find the documentation for this either, but it's clear from our
testing). 

However, all the documentation talks about RODCs being a member of the
enterprise read only domain controller group - which has a RID of 498. 

How is the 498 implied from the 521?  There isn't a member link between
the groups for example.  Is it simply linked during token construction
somehow?  It also does not appear in the tokenGroups of the RODC account
over LDAP (as found in a base search on the RODC object).

tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-521

However, it does show up in the tokenGroups in the rootDSE, if we
connect *as* the RODC

tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-1116
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-521
tokenGroups: S-1-1-0
tokenGroups: S-1-5-32-554
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-2
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-498
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-64-10

Can you please explain how we are meant to get from one to the other?

Thanks, 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100817/1969ff9d/attachment.pgp>