[cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Obaid Farooqi obaidf at microsoft.com
Thu Sep 29 22:49:44 UTC 2022

Hi Christof:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.

Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Christof Schmitt <cs at samba.org> 
Sent: Thursday, September 29, 2022 5:16 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] [MS-ADTS] SID as DN alternative for querying groups by member

[Some people who received this message don't often get email from cs at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hello Dochelp,

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2F92a54869-38d7-4e71-a3be-5f67a0dcdd7e&data=05%7C01%7Cobaidf%40microsoft.com%7C7e231591584c4b8eb12808daa26830a1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638000865974136656%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=t4NhvFIo7j2Rr%2B6%2BNOxoA23tqDt9lPbPIu2dInVhTNw%3D&reserved=0 Alternative Forms of DNs

documents alternatives to using a DN in LDAP queries, e.g.:

My understanding is that these can be used interchangeably.

Given an AD forest with two domains:
Parent domain: adprotocol9.com running on Windows Server 2019 Child domain: adprotocol10.adprotocol9.com running on Windows Server 2019

A User in child domain: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com

Groups in parent domain: adgroup839 and adgroup8392 where the above user is a direct member of both groups.

A Samba server that is joined to the parent domain and can issue LDAP queries, e.g. through the "net ads search" command.

In this environment, the user can be queried through LDAP:

# net ads search -P 'cn=aduser8410' -S adprotocol10.adprotocol9.com distinguishedName objectGUID objectSid Got 1 replies

distinguishedName: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com
objectGUID: 5641cd8f-df84-498e-b840-4f46c41ea63a
objectSid: S-1-5-21-686935948-1127628631-3386349506-1104

The groups where the user is a member can be queried by the user's DN:

# net ads search -P 'member=CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com' cn Got 2 replies

cn: adgroup839

cn: adgroup8392

The same query works with the documented alternate <GUID=...> syntax instead of the DN:

# net ads search -P 'member=<GUID=5641cd8f-df84-498e-b840-4f46c41ea63a>' cn Got 2 replies

cn: adgroup839

cn: adgroup8392

But using the documented alternate <SID=...> syntax does not return the groups:

# net ads search -P 'member=<SID=S-1-5-21-686935948-1127628631-3386349506-1104>' cn Got 0 replies

On the other hand, the <SID=...> syntax works when the user is in the same domain as the group:

# net ads search -P cn=Administrator objectSid Got 1 replies

objectSid: S-1-5-21-3620267316-2463581073-2945356329-500

# net ads search -P 'member=<SID=S-1-5-21-3620267316-2463581073-2945356329-500>' cn Got 5 replies

cn: Administrators

cn: Schema Admins

cn: Enterprise Admins

cn: Domain Admins

cn: Group Policy Creator Owners

Is there a limitation on using the <SID=...> syntax for querying groups by group members, when the member is in a different domain than the group? Should that be mentioned in the documentation?



More information about the cifs-protocol mailing list