Problems creating a Samba4 LDAP Backend

Luke Howard lukeh at padl.com
Sat Mar 22 15:25:09 GMT 2008


On 22/03/2008, at 10:17 AM, Andrew Morgan wrote:
> On Sat, 22 Mar 2008, Luke Howard wrote:
>
>>>> To me, this says that the directory does an internal group search  
>>>> to
>>>> generate the isMemberOf attribute on the fly.  I believe this is  
>>>> the way
>>>> Active Directory handles the memberOf attribute as well.
>>> IIRC in AD memberOf is a linked attribute, stored permanently.
>>
>>
>> From memory, AD stores the entry IDs of the link tuples in a  
>> separate table, so both "member" and "memberOf" are ostensibly  
>> generated on the fly. But this is really an implementation decision  
>> (although things do start to get interesting when dealing with  
>> references across partition boundaries).
>
> I noticed that the memberOf tab in AD Users and Computers does not  
> show group membership for groups that are not in the same domain as  
> the user. Access controls were still correctly applied though, so  
> those interfaces must be enumerating group membership some other way.

Right, this is because it's expensive (I think they'll show such  
memberships if you query through the GC port [3268] but that requires  
you talk to a GC).

When a non-GC KDC builds a PAC, it will contact a GC over RPC to  
complete the user's token (cf. IDL_DRSGetMemberships).

-- Luke


More information about the samba-technical mailing list