[jcifs] Re: NetLocalGroupEnum / NetLocalGroupGetMembers

Michael B Allen mba2000 at ioplex.com
Wed Apr 4 21:47:16 GMT 2007 

On Wed, 04 Apr 2007 17:21:48 -0400
Jake Goulding <goulding at vivisimo.com> wrote:

> Well, the problem is that I don't need the local groups, but need the 
> members of those groups... a short example:
> 
> Active Directory users: A & B.
> Fileserver F has local group G, containing A & B, and an ACL that says 
> file Z can be read by group G.
> 
> If I get the ACL for Z, I will get group G back (this is me assuming...).

Assuming for second that you could lookup group members, how do you know
group G is defined on server F so that you can query F for the members?

> Later on, user A logs in to our system and tries to do a search. We 
> query Active Directory at that time to see what rights A has. Since G is 
> a local group, Active Directory will not know anything about it. Our 
> security checks will say that A cannot access Z.
> 
> What I'd like to be able to do is (perhaps separately from jcifs?) query 
> a server to get the local groups, then find all the members of those 
> local groups (recursing until I no longer hit local groups).

I think you would have to implement the NetLocalGroupGetMembers RPC
(whatever it's really called). That isn't too hard. What is harder is
figuring out conceptually how it should be exposed through the JCIFS API.

Mike

> Thanks!
> 
> Michael B Allen wrote:
> > On Wed, 04 Apr 2007 17:09:09 -0400
> > Jake Goulding <goulding at vivisimo.com> wrote:
> >
> >   
> >> I've got a case where some customers have an Active Directory setup for 
> >> the whole organization, but specific fileservers have local groups 
> >> comprised of these AD users/groups. I'd like to be able to list the 
> >> local groups on the remote server and resolve them until I end up at 
> >> either a AD User or AD Group. Does anyone have any advice on how to do this?
> >>
> >> MSDN reference for the 2 relevant functions (I think):
> >> NetLocalGroupEnum
> >> http://msdn2.microsoft.com/en-us/library/aa370440.aspx
> >>
> >> NetLocalGroupGetMembers
> >> http://msdn2.microsoft.com/en-us/library/aa370601.aspx
> >>     
> >
> > Mmmm, I thought this worked already provided the DCERPC handle for the
> > MsrpcLookupSids call was the file server itself which IIRC is how the code
> > currently works. The MsrpcLookupSids call doesn't return local groups?
> >
> > Maybe you would have to implement new RPCs (I guess the ones you cite,
> > not sure).
> >
> > Mike
> >
> >   
> 
> -- 
> 
> JAKE GOULDING
> Software Engineer
> goulding at vivisimo.com
> 
> Viví­simo [Search Done Right___]
> 1710 Murray Avenue
> Pittsburgh, PA 15217 USA
> tel: +1.412.422.2499 x105
> fax: +1.412.422.2495
> vivisimo.com      clusty.com
> 


-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

More information about the jcifs mailing list