[jcifs] Re: NetLocalGroupEnum / NetLocalGroupGetMembers

Jake Goulding goulding at vivisimo.com
Thu Apr 5 19:57:59 GMT 2007 

Does jcifs-ext support these either of these functions?

This post seems to indicate that it is possibly halfway there...
http://groups.google.com/group/comp.lang.java.softwaretools/browse_thread/thread/64ad144432de6f65/42a29101b6efa56a?lnk=st&q=NetLocalGroupEnum+java&rnum=2&hl=en#42a29101b6efa56a

I think the answer to your first question would be during a crawl of the 
files, I check each ACL to see if the type is a local group and then go 
off and resolve it to the full list.

Michael B Allen wrote:
> On Wed, 04 Apr 2007 17:21:48 -0400
> Jake Goulding <goulding at vivisimo.com> wrote:
>
>   
>> Well, the problem is that I don't need the local groups, but need the 
>> members of those groups... a short example:
>>
>> Active Directory users: A & B.
>> Fileserver F has local group G, containing A & B, and an ACL that says 
>> file Z can be read by group G.
>>
>> If I get the ACL for Z, I will get group G back (this is me assuming...).
>>     
>
> Assuming for second that you could lookup group members, how do you know
> group G is defined on server F so that you can query F for the members?
>
>   
>> Later on, user A logs in to our system and tries to do a search. We 
>> query Active Directory at that time to see what rights A has. Since G is 
>> a local group, Active Directory will not know anything about it. Our 
>> security checks will say that A cannot access Z.
>>
>> What I'd like to be able to do is (perhaps separately from jcifs?) query 
>> a server to get the local groups, then find all the members of those 
>> local groups (recursing until I no longer hit local groups).
>>     
>
> I think you would have to implement the NetLocalGroupGetMembers RPC
> (whatever it's really called). That isn't too hard. What is harder is
> figuring out conceptually how it should be exposed through the JCIFS API.
>
> Mike
>
>   
>> Thanks!
>>
>> Michael B Allen wrote:
>>     
>>> On Wed, 04 Apr 2007 17:09:09 -0400
>>> Jake Goulding <goulding at vivisimo.com> wrote:
>>>
>>>   
>>>       
>>>> I've got a case where some customers have an Active Directory setup for 
>>>> the whole organization, but specific fileservers have local groups 
>>>> comprised of these AD users/groups. I'd like to be able to list the 
>>>> local groups on the remote server and resolve them until I end up at 
>>>> either a AD User or AD Group. Does anyone have any advice on how to do this?
>>>>
>>>> MSDN reference for the 2 relevant functions (I think):
>>>> NetLocalGroupEnum
>>>> http://msdn2.microsoft.com/en-us/library/aa370440.aspx
>>>>
>>>> NetLocalGroupGetMembers
>>>> http://msdn2.microsoft.com/en-us/library/aa370601.aspx
>>>>     
>>>>         
>>> Mmmm, I thought this worked already provided the DCERPC handle for the
>>> MsrpcLookupSids call was the file server itself which IIRC is how the code
>>> currently works. The MsrpcLookupSids call doesn't return local groups?
>>>
>>> Maybe you would have to implement new RPCs (I guess the ones you cite,
>>> not sure).
>>>
>>> Mike
>>>
>>>   
>>>       
>> -- 
>>
>> JAKE GOULDING
>> Software Engineer
>> goulding at vivisimo.com
>>
>> Viví­simo [Search Done Right___]
>> 1710 Murray Avenue
>> Pittsburgh, PA 15217 USA
>> tel: +1.412.422.2499 x105
>> fax: +1.412.422.2495
>> vivisimo.com      clusty.com
>>
>>     
>
>
>   

-- 

JAKE GOULDING
Software Engineer
goulding at vivisimo.com

Viví­simo [Search Done Right™]
1710 Murray Avenue
Pittsburgh, PA 15217 USA
tel: +1.412.422.2499 x105
fax: +1.412.422.2495
vivisimo.com      clusty.com

More information about the jcifs mailing list