Domain Join w/ SChannel GSS-API Kerberos for JCIFS

[Luke Howard]

>But back to my use-case -- once I get the ticket, with whom do I do
>extended security negotiation to looking up a user's membership? The DC or
>KDC?

Decrypt the service ticket using the service's long-term, and extract the
group membership from the authorization data.

>Do I still want to do SamrLookupNamesInDomain et al or should I be doing
>LDAP to Active Directory?

You can also read the tokenGroups attribute in Active Directory, but
this may not contain the user's complete group membership.

-- Luke

--