need to re-evaluate enumerating users

Gerald (Jerry) Carter jerry at
Thu Nov 10 15:56:08 GMT 2005

Hash: SHA1

Jeremy & Volker,

Yeah. So Volker's right.  There is really no way to enumerate
users in a trusted AD domain without kerberos.

This is an example of a child domain enumerating users just
like the NT4 BDC in the mixed mode domain does.

Here is the trusted parent domain
and FRUIT\Administrator is from the moxed mode child domain.
I get the same results from the object picker on the

$ bin/rpcclient -U'FRUIT\Administrator' \
- -c 'querydispinfo' -s /dev/null | wc -l

Just does not work.  There are a lot more accounts enumerated
when I connect as the domain admin.

$ bin/rpcclient -U'AD\Administrator' \
- -c 'querydispinfo' -s /dev/null | wc -l

So here's what we can do.

* use the "right" methods when talking to our own domain.
* use the "right" methods when talking to a DC running
~  AD (due to the tigher coupling between the winbindd_domain
~  structure and the actual cli_state connection).
* Use the ADS methods when talking to a trusted AD domain
~  on a Samba DC (by generating a kerberos ticket).

What we cannot do:

* Fix enumerating users and groups when we have to fallback
~  to RPC

Solution proposal:

* Reinstate the netsamlogon cache with the following changes
~  (a) cache the PAC info as werll as NTLM net_user_info_3
~  (b) expire the cache when the SMB session goes away

This will solve the problem of user's being able to connect
to the Samba box.  This will not solve the 'chown <domain user>
file' problem.

Another possibility is to store a --set-auth-user on a per
trusted domain basis.

So the problem really boils down to a Samba machine in
'security = domain' and talking to a trusted AD domain.
Everything else we can work with I think.

cheers, jerry
Alleviating the pain of Windows(tm)      -------
GnuPG Key                -----
"There's an anonymous coward in all of us."               --anonymous
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list