[cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member
Christof Schmitt
cs at samba.org
Thu Sep 29 22:15:45 UTC 2022
Hello Dochelp,
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/92a54869-38d7-4e71-a3be-5f67a0dcdd7e
3.1.1.3.1.2.4 Alternative Forms of DNs
documents alternatives to using a DN in LDAP queries, e.g.:
<GUID=object_guid>
<SID=sid>
My understanding is that these can be used interchangeably.
Given an AD forest with two domains:
Parent domain: adprotocol9.com running on Windows Server 2019
Child domain: adprotocol10.adprotocol9.com running on Windows Server 2019
A User in child domain: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com
Groups in parent domain: adgroup839 and adgroup8392 where the above user
is a direct member of both groups.
A Samba server that is joined to the parent domain and can issue LDAP
queries, e.g. through the "net ads search" command.
In this environment, the user can be queried through LDAP:
# net ads search -P 'cn=aduser8410' -S adprotocol10.adprotocol9.com distinguishedName objectGUID objectSid
Got 1 replies
distinguishedName: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com
objectGUID: 5641cd8f-df84-498e-b840-4f46c41ea63a
objectSid: S-1-5-21-686935948-1127628631-3386349506-1104
The groups where the user is a member can be queried by the user's DN:
# net ads search -P 'member=CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com' cn
Got 2 replies
cn: adgroup839
cn: adgroup8392
The same query works with the documented alternate <GUID=...> syntax
instead of the DN:
# net ads search -P 'member=<GUID=5641cd8f-df84-498e-b840-4f46c41ea63a>' cn
Got 2 replies
cn: adgroup839
cn: adgroup8392
But using the documented alternate <SID=...> syntax does not return the groups:
# net ads search -P 'member=<SID=S-1-5-21-686935948-1127628631-3386349506-1104>' cn
Got 0 replies
On the other hand, the <SID=...> syntax works when the user is in the
same domain as the group:
# net ads search -P cn=Administrator objectSid
Got 1 replies
objectSid: S-1-5-21-3620267316-2463581073-2945356329-500
# net ads search -P 'member=<SID=S-1-5-21-3620267316-2463581073-2945356329-500>' cn
Got 5 replies
cn: Administrators
cn: Schema Admins
cn: Enterprise Admins
cn: Domain Admins
cn: Group Policy Creator Owners
Is there a limitation on using the <SID=...> syntax for querying groups
by group members, when the member is in a different domain than the
group? Should that be mentioned in the documentation?
Regards,
Christof
More information about the cifs-protocol
mailing list