[cifs-protocol] How to RODCs get their membership of the ENTERPRISE_RODCs group
abartlet at samba.org
Mon Aug 16 23:22:12 MDT 2010
We are working on having Samba support having Win2k8 servers as read
only domain controller in the Samba4 domain.
We noticed that RODCs are given primaryGroupID of 521 - the RODC group
for the local domain. This happens when they join over LDAP (we can't
find the documentation for this either, but it's clear from our
However, all the documentation talks about RODCs being a member of the
enterprise read only domain controller group - which has a RID of 498.
How is the 498 implied from the 521? There isn't a member link between
the groups for example. Is it simply linked during token construction
somehow? It also does not appear in the tokenGroups of the RODC account
over LDAP (as found in a base search on the RODC object).
However, it does show up in the tokenGroups in the rootDSE, if we
connect *as* the RODC
Can you please explain how we are meant to get from one to the other?
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 190 bytes
Desc: This is a digitally signed message part
More information about the cifs-protocol