Domain Join w/ SChannel GSS-API Kerberos for JCIFS

Stefan (metze) Metzmacher metze at
Tue Nov 16 11:40:12 GMT 2004

Luke Howard schrieb:

>>But back to my use-case -- once I get the ticket, with whom do I do
>>extended security negotiation to looking up a user's membership? The DC or
> Decrypt the service ticket using the service's long-term, and extract the
> group membership from the authorization data.
>>Do I still want to do SamrLookupNamesInDomain et al or should I be doing
>>LDAP to Active Directory?
> You can also read the tokenGroups attribute in Active Directory, but
> this may not contain the user's complete group membership.

Hi Luke,

I can't find any attribute called 'tokenGroups' in my w2k3 dc


Stefan Metzmacher <metze at>

More information about the samba-technical mailing list