[cifs-protocol] [REG:114112412079949] Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?

Andrew Bartlett abartlet at samba.org
Tue Dec 2 16:13:40 MST 2014

On Tue, 2014-12-02 at 23:06 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> As per MS-DRSR, section " GetDSNameOfEnterpriseRODCsGroup", the procedure GetDSNameOfEnterpriseRODCsGroup is going to return an object whose Sid is <domain SID>-498. This SID is for the group object CN=Enterprise Read-Only Domain Controllers.
> So the following snippet in effect will add the DSName of the above object to the  wSet if u object happens to be a workstation or an RODC. The workstation object is not added to set.
>                                 wSet := wSet + GetDSNameOfEnterpriseRODCsGroup()
> endif
> Please let me know if I did not understand your question correctly or the above explanation does not answer your question.

I agree that is what it does, but is that what it should do, in the
context?  Shouldn't we be adding this to the set only if we are an RODC,
but not if we are a workstation?  

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list