How samba 3.0 get the NT token for a domain user?

Chere Zhou qzhou at
Thu May 8 19:58:13 GMT 2003

>From what I read so far, samba does this by doing a LDAP query for a user's 
"tokengroups", convert them to gids, then call create_nt_token.  
create_nt_token convert this list of gids back to SIDs, and store in a NT 
token structure.  It seems like in a W2k environment, a domain user gets the 
access token, which includes a list of groups, when the user logins in to the 
domain, and then this access token should be transferred to a file server if 
the user access it.

So if my understanding above is correct, it means that we can not decode the 
access token yet?  Or what else that we do not get the group list from the 
access token?  Or my understanding of the process is totally wrong?


More information about the samba-technical mailing list