Domain Join w/ SChannel GSS-API Kerberos for JCIFS
lukeh at padl.com
Tue Nov 16 00:09:36 GMT 2004
>But back to my use-case -- once I get the ticket, with whom do I do
>extended security negotiation to looking up a user's membership? The DC or
Decrypt the service ticket using the service's long-term, and extract the
group membership from the authorization data.
>Do I still want to do SamrLookupNamesInDomain et al or should I be doing
>LDAP to Active Directory?
You can also read the tokenGroups attribute in Active Directory, but
this may not contain the user's complete group membership.
More information about the samba-technical