Domain Join w/ SChannel GSS-API Kerberos for JCIFS

Luke Howard lukeh at
Tue Nov 16 00:09:36 GMT 2004

>But back to my use-case -- once I get the ticket, with whom do I do
>extended security negotiation to looking up a user's membership? The DC or

Decrypt the service ticket using the service's long-term, and extract the
group membership from the authorization data.

>Do I still want to do SamrLookupNamesInDomain et al or should I be doing
>LDAP to Active Directory?

You can also read the tokenGroups attribute in Active Directory, but
this may not contain the user's complete group membership.

-- Luke


More information about the samba-technical mailing list