question about create_local_nt_token

Herb Lewis hlewis at
Wed Aug 13 23:55:07 GMT 2008

Try this. add several groups to a user. Pick one of the
groups returned by wbinfo --user-domgroups that is not the
first group to be the primary group of the user. set debug
level to be 10 and connect from a client as that user.

look for "NT user token of user " in the logs. The first
group SID will not be the primary SID. This is using a
W2k SP4 DC.

Jeremy Allison wrote:
> On Wed, Aug 13, 2008 at 04:24:50PM -0700, Herb Lewis wrote:
>>The comment says we are adding the user and primary group sid
>>to the array, but we add the user and the first group in the
>>groupsids array. This is not always the primary group. How can
>>we tell which is the primary group?
> By convention the first group in the groupsids array
> should be the primary group. Where in the code do you
> see it not being the primary ?
> Jeremy.

More information about the samba-technical mailing list