[jcifs] jcifs-1.2.14 released / SID.getGroupMemberSids() and the SAMR Interface

Michael B Allen miallen at ioplex.com
Mon Aug 6 16:58:07 GMT 2007

On Mon, 6 Aug 2007 10:29:34 -0500
Ravi_Varanasi at Countrywide.Com wrote:

> Michael/Group,
> Disclaimer : new to jcifs.
> I have a requirement for validating users under a particular group. Should
> i be looking at the SID.getGroupMemberSids() ? Some example illustrating
> how to use the api would be helpful,

Hi Ravi,

Currently this is not really possible with stock JCIFS.

To check if user's are in a particular group you need to be able to do
two things - get the SIDs of the groups that the user is in and get the
SID of the group you're checking. Then you can compare SIDs and determine
if the user is in the target group. JCIFS currently does not have the
necessary RPCs to do either of these things.

To get the SID of a group requires the SamrLookupNamesInDomain which is
not a trivial RPC but our IDL compiler has been pretty solid and we have
the IDL so I don't think it would be hard.

But getting the groups of a user is much more difficult. We need
NetUserGetGroups functionality but I'm not sure that returns an expanded
list of groups. It might be better to get the tokenGroups constructed
attribute from the user's account using JNDI but we don't have any JNDI
routines yet so that has it's own issues [1].

You might want to just do everything using JNDI. It won't be terribly
fast but it will work.


[1] And the real professional way to get the groups is from the user's
group SIDs from the Kerberos ticket but that would require decoding the
PAC which is non-trivial.

Michael B Allen
PHP Active Directory Kerberos SSO

More information about the jcifs mailing list