New group mapping and the auth subsystem
Luke Howard
lukeh at PADL.COM
Sun Dec 2 16:42:02 GMT 2001
>You can't get the list of SIDs for an "arbitrary" user, they
>need to have logged on via netlogon or PAC. Then we know what
>SIDs they have (from the return value) and we store it in the
>token.
Sure. However, Active Directory does give you a way to query
the SIDs of the groups a user belongs to without traversing
the user's group graph. This probably helps KDCSVC construct
the PAC.
$ ldapsearch -s base -b "cn=luke howard,cn=users,dc=nt,dc=padl,dc=com" 'objectclass=*' tokenGroups tokenGroupsNoGC
dn: cn=luke howard,cn=users,dc=nt,dc=padl,dc=com
tokenGroups:: AQIAAAAAAAUgAAAAIAIAAA==
tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA==
tokenGroups:: AQUAAAAAAAUVAAAAVykCTGJcvAbb6wxQXwQAAA==
tokenGroups:: AQUAAAAAAAUVAAAAVykCTGJcvAbb6wxQdgQAAA==
tokenGroups:: AQUAAAAAAAUVAAAAVykCTGJcvAbb6wxQewQAAA==
tokenGroups:: AQUAAAAAAAUVAAAAVykCTGJcvAbb6wxQWgQAAA==
tokenGroups:: AQUAAAAAAAUVAAAAVykCTGJcvAbb6wxQAQIAAA==
tokenGroups:: AQUAAAAAAAUVAAAAVykCTGJcvAbb6wxQAAIAAA==
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
More information about the samba-technical
mailing list