[cifs-protocol] [REG:114112412079949] Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?
Andrew Bartlett
abartlet at samba.org
Tue Dec 2 16:13:40 MST 2014
On Tue, 2014-12-02 at 23:06 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> As per MS-DRSR, section "4.1.8.2.4 GetDSNameOfEnterpriseRODCsGroup", the procedure GetDSNameOfEnterpriseRODCsGroup is going to return an object whose Sid is <domain SID>-498. This SID is for the group object CN=Enterprise Read-Only Domain Controllers.
>
> So the following snippet in effect will add the DSName of the above object to the wSet if u object happens to be a workstation or an RODC. The workstation object is not added to set.
>
> if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT =ADS_UF_WORKSTATION_TRUST_ACCOUNT) or
> (u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT =ADS_UF_PARTIAL_SECRETS_ACCOUNT))
> wSet := wSet + GetDSNameOfEnterpriseRODCsGroup()
> endif
>
> Please let me know if I did not understand your question correctly or the above explanation does not answer your question.
I agree that is what it does, but is that what it should do, in the
context? Shouldn't we be adding this to the set only if we are an RODC,
but not if we are a workstation?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list