Domain Join w/ SChannel GSS-API Kerberos for JCIFS
Stefan (metze) Metzmacher
metze at samba.org
Tue Nov 16 11:40:12 GMT 2004
Luke Howard schrieb:
>>But back to my use-case -- once I get the ticket, with whom do I do
>>extended security negotiation to looking up a user's membership? The DC or
>>KDC?
>
>
> Decrypt the service ticket using the service's long-term, and extract the
> group membership from the authorization data.
>
>
>>Do I still want to do SamrLookupNamesInDomain et al or should I be doing
>>LDAP to Active Directory?
>
>
> You can also read the tokenGroups attribute in Active Directory, but
> this may not contain the user's complete group membership.
Hi Luke,
I can't find any attribute called 'tokenGroups' in my w2k3 dc
--
metze
Stefan Metzmacher <metze at samba.org> www.samba.org
More information about the samba-technical
mailing list