[cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
Jeff McCashland (He/him)
jeffm at microsoft.com
Thu Sep 29 23:02:54 UTC 2022
[Obaid to BCC]
I will research your question and let you know what I find.
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
From: Obaid Farooqi <obaidf at microsoft.com>
Sent: Thursday, September 29, 2022 3:50 PM
To: Christof Schmitt <cs at samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
Escalation Engineer | Microsoft
From: Christof Schmitt <cs at samba.org>
Sent: Thursday, September 29, 2022 5:16 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] [MS-ADTS] SID as DN alternative for querying groups by member
[Some people who received this message don't often get email from cs at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
22.214.171.124.1.2.4 Alternative Forms of DNs
documents alternatives to using a DN in LDAP queries, e.g.:
My understanding is that these can be used interchangeably.
Given an AD forest with two domains:
Parent domain: adprotocol9.com running on Windows Server 2019 Child domain: adprotocol10.adprotocol9.com running on Windows Server 2019
A User in child domain: CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com
Groups in parent domain: adgroup839 and adgroup8392 where the above user is a direct member of both groups.
A Samba server that is joined to the parent domain and can issue LDAP queries, e.g. through the "net ads search" command.
In this environment, the user can be queried through LDAP:
# net ads search -P 'cn=aduser8410' -S adprotocol10.adprotocol9.com distinguishedName objectGUID objectSid Got 1 replies
The groups where the user is a member can be queried by the user's DN:
# net ads search -P 'member=CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com' cn Got 2 replies
The same query works with the documented alternate <GUID=...> syntax instead of the DN:
# net ads search -P 'member=<GUID=5641cd8f-df84-498e-b840-4f46c41ea63a>' cn Got 2 replies
But using the documented alternate <SID=...> syntax does not return the groups:
# net ads search -P 'member=<SID=S-1-5-21-686935948-1127628631-3386349506-1104>' cn Got 0 replies
On the other hand, the <SID=...> syntax works when the user is in the same domain as the group:
# net ads search -P cn=Administrator objectSid Got 1 replies
# net ads search -P 'member=<SID=S-1-5-21-3620267316-2463581073-2945356329-500>' cn Got 5 replies
cn: Schema Admins
cn: Enterprise Admins
cn: Domain Admins
cn: Group Policy Creator Owners
Is there a limitation on using the <SID=...> syntax for querying groups by group members, when the member is in a different domain than the group? Should that be mentioned in the documentation?
More information about the cifs-protocol