[jcifs] Re: NetLocalGroupEnum / NetLocalGroupGetMembers
goulding at vivisimo.com
Thu Apr 5 19:57:59 GMT 2007
Does jcifs-ext support these either of these functions?
This post seems to indicate that it is possibly halfway there...
I think the answer to your first question would be during a crawl of the
files, I check each ACL to see if the type is a local group and then go
off and resolve it to the full list.
Michael B Allen wrote:
> On Wed, 04 Apr 2007 17:21:48 -0400
> Jake Goulding <goulding at vivisimo.com> wrote:
>> Well, the problem is that I don't need the local groups, but need the
>> members of those groups... a short example:
>> Active Directory users: A & B.
>> Fileserver F has local group G, containing A & B, and an ACL that says
>> file Z can be read by group G.
>> If I get the ACL for Z, I will get group G back (this is me assuming...).
> Assuming for second that you could lookup group members, how do you know
> group G is defined on server F so that you can query F for the members?
>> Later on, user A logs in to our system and tries to do a search. We
>> query Active Directory at that time to see what rights A has. Since G is
>> a local group, Active Directory will not know anything about it. Our
>> security checks will say that A cannot access Z.
>> What I'd like to be able to do is (perhaps separately from jcifs?) query
>> a server to get the local groups, then find all the members of those
>> local groups (recursing until I no longer hit local groups).
> I think you would have to implement the NetLocalGroupGetMembers RPC
> (whatever it's really called). That isn't too hard. What is harder is
> figuring out conceptually how it should be exposed through the JCIFS API.
>> Michael B Allen wrote:
>>> On Wed, 04 Apr 2007 17:09:09 -0400
>>> Jake Goulding <goulding at vivisimo.com> wrote:
>>>> I've got a case where some customers have an Active Directory setup for
>>>> the whole organization, but specific fileservers have local groups
>>>> comprised of these AD users/groups. I'd like to be able to list the
>>>> local groups on the remote server and resolve them until I end up at
>>>> either a AD User or AD Group. Does anyone have any advice on how to do this?
>>>> MSDN reference for the 2 relevant functions (I think):
>>> Mmmm, I thought this worked already provided the DCERPC handle for the
>>> MsrpcLookupSids call was the file server itself which IIRC is how the code
>>> currently works. The MsrpcLookupSids call doesn't return local groups?
>>> Maybe you would have to implement new RPCs (I guess the ones you cite,
>>> not sure).
>> JAKE GOULDING
>> Software Engineer
>> goulding at vivisimo.com
>> Vivísimo [Search Done Right___]
>> 1710 Murray Avenue
>> Pittsburgh, PA 15217 USA
>> tel: +1.412.422.2499 x105
>> fax: +1.412.422.2495
>> vivisimo.com clusty.com
goulding at vivisimo.com
Vivísimo [Search Done Right™]
1710 Murray Avenue
Pittsburgh, PA 15217 USA
tel: +1.412.422.2499 x105
More information about the jcifs