[jcifs] domain group membership

Volker Müller volker.mueller at xsystem.de
Thu May 29 06:43:15 GMT 2008

OK, I will try it with LDAP.



Michael B Allen schrieb:
> On Wed, May 28, 2008 at 2:12 AM, Volker Müller
> <volker.mueller at xsystem.de> wrote:
>> Hello,
>> This could be an alternative.
>> We are already doing some things with jcifs, so I wanted to resolve the
>> domain groups also with jcifs.
> The two most correct ways to reteive group membership information is
> to 1) decode it from the PAC in the Kerberos ticket and 2) retrieve
> the constructed tokenGroups attribute from the target account using
> LDAP. JCIFS does not support Kerberos in the stock package (and the
> jcifs-krb5 package does touch the PAC) so that pretty much leaves you
> with only #2. There could be an MSRPC call for retrieving group
> membership but I don't know of any modern clients that actually use it
> in this scenario.
> Mike
>> Giampaolo Tomassoni schrieb:
>>>> -----Original Message-----
>>>> From: jcifs-bounces+giampaolo=tomassoni.biz at lists.samba.org
>>>> [mailto:jcifs-bounces+giampaolo=tomassoni.biz at lists.samba.org] On
>>>> Behalf Of Volker Müller
>>>> Sent: Tuesday, May 27, 2008 5:20 PM
>>>> To: jcifs at lists.samba.org
>>>> Subject: [jcifs] domain group membership
>>>> Hello,
>>>> I need to determine if a user is member of a domain group.
>>>> I tried to use getGroupMemberSids of class SID, but the function is
>>>> only
>>>> for local groups.
>>>> Is there a way to resolve the members (users and groups) of a domain
>>>> group with jcifs?
>>> I'm actually using ldap for that. By the way, every complete java runtime
>>> supports ldap natively.
>>> This works if the dc is at least a 2k server, of course...
>>> Giampaolo
>>>> Best regards
>>>> Volker

More information about the jcifs mailing list