[cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Andrew Bartlett abartlet at samba.org
Thu Sep 29 23:07:33 UTC 2022 

Christof,
Is the behaviour different on the Global Catalog port?  Are both
servers GC instances?
Andrew,
On Thu, 2022-09-29 at 23:02 +0000, Jeff McCashland (He/him) via cifs-
protocol wrote:
> [Obaid to BCC]
> Hi Christof,
> I will research your question and let you know what I find. 
> Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer |
> Microsoft Protocol Open Specifications Team Phone: +1 (425) 703-8300
> x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and
> Canada)Local country phone number found here: 
> http://support.microsoft.com/globalenglish | Extension 1138300
> -----Original Message-----From: Obaid Farooqi <obaidf at microsoft.com>
> Sent: Thursday, September 29, 2022 3:50 PMTo: Christof Schmitt <
> cs at samba.org>Cc: Microsoft Support <supportmail at microsoft.com>; 
> cifs-protocol at lists.samba.org
> Subject: [MS-ADTS] SID as DN alternative for querying groups by
> member - TrackingID#2209290040008412
> Hi Christof:Thanks for contacting Microsoft. I have created a case to
> track this issue. A member of the open specifications team will be in
> touch soon.
> Regards,Obaid FarooqiEscalation Engineer | Microsoft
> -----Original Message-----From: Christof Schmitt <cs at samba.org>Sent:
> Thursday, September 29, 2022 5:16 PMTo: Interoperability
> Documentation Help <dochelp at microsoft.com>Cc: 
> cifs-protocol at lists.samba.org
> Subject: [EXTERNAL] [MS-ADTS] SID as DN alternative for querying
> groups by member
> [Some people who received this message don't often get email from
> cs at samba.org. Learn why this is important at 
> https://aka.ms/LearnAboutSenderIdentification ]
> Hello Dochelp,
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2F92a54869-38d7-4e71-a3be-5f67a0dcdd7e&data=05%7C01%7Cjeffm%40microsoft.com%7Ce876134ecd9f41a39e9f08daa26cec5c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638000885946988687%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Bwh5uFnMrvzdhcTSOjDNl2996z2qo79nA11JlzISidU%3D&reserved=0
> 3.1.1.3.1.2.4 Alternative Forms of DNs
> documents alternatives to using a DN in LDAP queries, e.g.:
> <GUID=object_guid> <SID=sid>
> My understanding is that these can be used interchangeably.
> Given an AD forest with two domains:Parent domain: adprotocol9.com
> running on Windows Server 2019 Child domain:
> adprotocol10.adprotocol9.com running on Windows Server 2019
> A User in child domain:
> CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com
> Groups in parent domain: adgroup839 and adgroup8392 where the above
> user is a direct member of both groups.
> A Samba server that is joined to the parent domain and can issue LDAP
> queries, e.g. through the "net ads search" command.
> In this environment, the user can be queried through LDAP:
> # net ads search -P 'cn=aduser8410' -S adprotocol10.adprotocol9.com
> distinguishedName objectGUID objectSid Got 1 replies
> distinguishedName:
> CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=comobjectGUI
> D: 5641cd8f-df84-498e-b840-4f46c41ea63aobjectSid: S-1-5-21-686935948-
> 1127628631-3386349506-1104
> 
> 
> 
> The groups where the user is a member can be queried by the user's
> DN:
> # net ads search -P
> 'member=CN=aduser8410,CN=Users,DC=adprotocol10,DC=adprotocol9,DC=com'
> cn Got 2 replies
> cn: adgroup839
> cn: adgroup8392
> 
> 
> 
> The same query works with the documented alternate <GUID=...> syntax
> instead of the DN:
> # net ads search -P 'member=<GUID=5641cd8f-df84-498e-b840-
> 4f46c41ea63a>' cn Got 2 replies
> cn: adgroup839
> cn: adgroup8392
> 
> 
> 
> But using the documented alternate <SID=...> syntax does not return
> the groups:
> # net ads search -P 'member=<SID=S-1-5-21-686935948-1127628631-
> 3386349506-1104>' cn Got 0 replies
> 
> 
> 
> On the other hand, the <SID=...> syntax works when the user is in the
> same domain as the group:
> # net ads search -P cn=Administrator objectSid Got 1 replies
> objectSid: S-1-5-21-3620267316-2463581073-2945356329-500
> # net ads search -P 'member=<SID=S-1-5-21-3620267316-2463581073-
> 2945356329-500>' cn Got 5 replies
> cn: Administrators
> cn: Schema Admins
> cn: Enterprise Admins
> cn: Domain Admins
> cn: Group Policy Creator Owners
> 
> 
> 
> 
> Is there a limitation on using the <SID=...> syntax for querying
> groups by group members, when the member is in a different domain
> than the group? Should that be mentioned in the documentation?
> Regards,
> Christof
> _______________________________________________cifs-protocol mailing 
> listcifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20220930/6fcb94eb/attachment.htm>

More information about the cifs-protocol mailing list