[cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
Obaid Farooqi
obaidf at microsoft.com
Thu Sep 29 22:49:44 UTC 2022
Hi Christof:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Christof Schmitt <cs at samba.org>
Sent: Thursday, September 29, 2022 5:16 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] [MS-ADTS] SID as DN alternative for querying groups by member
[Some people who received this message don't often get email from cs at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Hello Dochelp,
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2F92a54869-38d7-4e71-a3be-5f67a0dcdd7e&data=05%7C01%7Cobaidf%40microsoft.com%7C7e231591584c4b8eb12808daa26830a1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638000865974136656%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=t4NhvFIo7j2Rr%2B6%2BNOxoA23tqDt9lPbPIu2dInVhTNw%3D&reserved=0
3.1.1.3.1.2.4 Alternative Forms of DNs
documents alternatives to using a DN in LDAP queries, e.g.:
<GUID=object_guid>
<SID=sid>
My understanding is that these can be used interchangeably.
Given an AD forest with two domains:
Parent domain: adprotocol9.com running on Windows Server 2019 Child domain: adprotocol10.adprotocol9.com running on Windows Server 2019
A User in child domain: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com
Groups in parent domain: adgroup839 and adgroup8392 where the above user is a direct member of both groups.
A Samba server that is joined to the parent domain and can issue LDAP queries, e.g. through the "net ads search" command.
In this environment, the user can be queried through LDAP:
# net ads search -P 'cn=aduser8410' -S adprotocol10.adprotocol9.com distinguishedName objectGUID objectSid Got 1 replies
distinguishedName: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com
objectGUID: 5641cd8f-df84-498e-b840-4f46c41ea63a
objectSid: S-1-5-21-686935948-1127628631-3386349506-1104
The groups where the user is a member can be queried by the user's DN:
# net ads search -P 'member=CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com' cn Got 2 replies
cn: adgroup839
cn: adgroup8392
The same query works with the documented alternate <GUID=...> syntax instead of the DN:
# net ads search -P 'member=<GUID=5641cd8f-df84-498e-b840-4f46c41ea63a>' cn Got 2 replies
cn: adgroup839
cn: adgroup8392
But using the documented alternate <SID=...> syntax does not return the groups:
# net ads search -P 'member=<SID=S-1-5-21-686935948-1127628631-3386349506-1104>' cn Got 0 replies
On the other hand, the <SID=...> syntax works when the user is in the same domain as the group:
# net ads search -P cn=Administrator objectSid Got 1 replies
objectSid: S-1-5-21-3620267316-2463581073-2945356329-500
# net ads search -P 'member=<SID=S-1-5-21-3620267316-2463581073-2945356329-500>' cn Got 5 replies
cn: Administrators
cn: Schema Admins
cn: Enterprise Admins
cn: Domain Admins
cn: Group Policy Creator Owners
Is there a limitation on using the <SID=...> syntax for querying groups by group members, when the member is in a different domain than the group? Should that be mentioned in the documentation?
Regards,
Christof
More information about the cifs-protocol
mailing list