[cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member

Christof Schmitt cs at samba.org
Thu Sep 29 22:15:45 UTC 2022


Hello Dochelp,

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/92a54869-38d7-4e71-a3be-5f67a0dcdd7e
3.1.1.3.1.2.4 Alternative Forms of DNs

documents alternatives to using a DN in LDAP queries, e.g.:
 <GUID=object_guid>
 <SID=sid>

My understanding is that these can be used interchangeably.

Given an AD forest with two domains:
Parent domain: adprotocol9.com running on Windows Server 2019
Child domain: adprotocol10.adprotocol9.com running on Windows Server 2019

A User in child domain: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com

Groups in parent domain: adgroup839 and adgroup8392 where the above user
is a direct member of both groups.

A Samba server that is joined to the parent domain and can issue LDAP
queries, e.g. through the "net ads search" command.

In this environment, the user can be queried through LDAP:

# net ads search -P 'cn=aduser8410' -S adprotocol10.adprotocol9.com distinguishedName objectGUID objectSid
Got 1 replies

distinguishedName: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com
objectGUID: 5641cd8f-df84-498e-b840-4f46c41ea63a
objectSid: S-1-5-21-686935948-1127628631-3386349506-1104




The groups where the user is a member can be queried by the user's DN:

# net ads search -P 'member=CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com' cn
Got 2 replies

cn: adgroup839

cn: adgroup8392




The same query works with the documented alternate <GUID=...> syntax
instead of the DN:

# net ads search -P 'member=<GUID=5641cd8f-df84-498e-b840-4f46c41ea63a>' cn
Got 2 replies

cn: adgroup839

cn: adgroup8392




But using the documented alternate <SID=...> syntax does not return the groups:

# net ads search -P 'member=<SID=S-1-5-21-686935948-1127628631-3386349506-1104>' cn
Got 0 replies




On the other hand, the <SID=...> syntax works when the user is in the
same domain as the group:

# net ads search -P cn=Administrator objectSid
Got 1 replies

objectSid: S-1-5-21-3620267316-2463581073-2945356329-500

# net ads search -P 'member=<SID=S-1-5-21-3620267316-2463581073-2945356329-500>' cn
Got 5 replies

cn: Administrators

cn: Schema Admins

cn: Enterprise Admins

cn: Domain Admins

cn: Group Policy Creator Owners





Is there a limitation on using the <SID=...> syntax for querying groups
by group members, when the member is in a different domain than the
group? Should that be mentioned in the documentation?

Regards,

Christof



More information about the cifs-protocol mailing list