[cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

Hongwei Sun hongweis at microsoft.com
Mon Aug 30 17:06:35 MDT 2010


Tridge/Andrew,

  Have you got a chance to take a look at this ?  If you can send a confirmation and some information , then I can continue to work on it.  I understand that you are probably busy with preparing for IO Lab.   If you prefer to work on this together during IO Lab,  I am fine with that too.   

Thanks!

Hongwei
 

-----Original Message-----
From: Hongwei Sun 
Sent: Monday, August 23, 2010 6:37 PM
To: 'tridge at samba.org'
Cc: Andrew Bartlett; cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

Tridge/Andrew,

   I have been testing and debugging the Windows behavior related to tokenGroups rootDSE attribute in RODC.  It seems that I cannot duplicate what you have observed.   I have a RODC joined to a domain that has two more RWDCs.  I got the following output for the rootDSE in RODC object and RootDSE when I did a base search to the RODC from another DC in the same domain.  They don't include RID 498.  

	Dn: (RootDSE)
	tokenGroups (16): 
	S-1-5-21-3071076805-1052773752-2226054901-500; 
	S-1-5-21-3071076805-1052773752-2226054901-513; 
	S-1-1-0; 
	S-1-5-32-544; 
	S-1-5-32-545; 
	S-1-5-32-574; 
	S-1-5-32-554; 
	S-1-5-2; 
	S-1-5-11; 
	S-1-5-15; 
	S-1-5-21-3071076805-1052773752-2226054901-512; 
	S-1-5-21-3071076805-1052773752-2226054901-520; 
	S-1-5-21-3071076805-1052773752-2226054901-519; 
	S-1-5-21-3071076805-1052773752-2226054901-518; 
	S-1-5-21-3071076805-1052773752-2226054901-1103; 
	S-1-5-21-3071076805-1052773752-2226054901-572; 

	-----------
	***Searching...
	ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com", 0, "(objectclass=*)", attrList,  0, &msg)
	Getting 1 entries:
	Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com
	tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; S-1-5-21-3071076805-1052773752-2226054901-521; 

   I am wondering what the difference is between your environment and my repro.  Andrew mentioned that  "However, it does show up in the tokenGroups in the rootDSE, if we connect *as* the RODC".   Does that mean Samba DC is connected as a RODC ?

Thanks!

Hongwei
   
 

-----Original Message-----
From: tridge at samba.org [mailto:tridge at samba.org] 
Sent: Tuesday, August 17, 2010 7:30 PM
To: Hongwei Sun
Cc: Andrew Bartlett; cifs-protocol at samba.org; MSSolve Case Email
Subject: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

Hi Hongwei,

 >    You mentioned that all the documentation talks about RODCs being
 >    a member of the enterprise read only domain controller group,
 >    which has a RID of 498.  What part of the document do you refer
 >    to ?

See for example [MS-DRSR] 4.1.10.5.12 which has this:

     *   1. Caller is an RODC. An RODC will always be a member of
     *      "Enterprise Read-Only Domain Controllers" (RID 498)

 >   Should I take the question as why tokenGroups of rootDSE has 498
 >   but the tokenGroups of RODC account doesn't have it ?

that is one way to look at it. 

We can see via tokenGroups that RODCs are a member of both the group
with RID 498 and the group with RID 521.

Normally a user becomes a member of a group in one of three ways.

 1) via it being the primaryGroupID of the user

 2) via a member attribute on a group (or equivalently via a memberOf
    back link)

 3) via some "special handling" that adds things like anonymous or
    world or other special groups

We suspect that RODCs being a member of 498 is due to something in the
"special handling" category, but we'd like to know what the nature of
that special handling is. 

For example, is it something as simple as "when constructing the token
for a user, always add RID 498 if they have RID 521 in their token
from the same domain". Where things may get tricky is in the
inter-domain (eg. forest) handling. We'd like to make sure we get this
right, or at least understand how we're getting it wrong :-)

Cheers, Tridge



More information about the cifs-protocol mailing list