[jcifs] domain group membership

Michael B Allen ioplex at gmail.com
Wed May 28 14:10:11 GMT 2008

On Wed, May 28, 2008 at 2:12 AM, Volker Müller
<volker.mueller at xsystem.de> wrote:
> Hello,
> This could be an alternative.
> We are already doing some things with jcifs, so I wanted to resolve the
> domain groups also with jcifs.

The two most correct ways to reteive group membership information is
to 1) decode it from the PAC in the Kerberos ticket and 2) retrieve
the constructed tokenGroups attribute from the target account using
LDAP. JCIFS does not support Kerberos in the stock package (and the
jcifs-krb5 package does touch the PAC) so that pretty much leaves you
with only #2. There could be an MSRPC call for retrieving group
membership but I don't know of any modern clients that actually use it
in this scenario.


> Giampaolo Tomassoni schrieb:
>>> -----Original Message-----
>>> From: jcifs-bounces+giampaolo=tomassoni.biz at lists.samba.org
>>> [mailto:jcifs-bounces+giampaolo=tomassoni.biz at lists.samba.org] On
>>> Behalf Of Volker Müller
>>> Sent: Tuesday, May 27, 2008 5:20 PM
>>> To: jcifs at lists.samba.org
>>> Subject: [jcifs] domain group membership
>>> Hello,
>>> I need to determine if a user is member of a domain group.
>>> I tried to use getGroupMemberSids of class SID, but the function is
>>> only
>>> for local groups.
>>> Is there a way to resolve the members (users and groups) of a domain
>>> group with jcifs?
>> I'm actually using ldap for that. By the way, every complete java runtime
>> supports ldap natively.
>> This works if the dc is at least a 2k server, of course...
>> Giampaolo
>>> Best regards
>>> Volker

Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the jcifs mailing list