PAC group problem

tridge at tridge at
Fri Jan 15 04:48:33 MST 2010

Hi Andrew,

I've reproduced that group problem we had once before.

If you do the following:

 1) provision a s4 DC
 2) dcpromo join a w2k8r2 box to it (presumably same with w2k8)
 3) connect to the s4 box from windows DC as administrator

then security_session_user_level() for the login comes back as
SECURITY_USER not SECURITY_ADMINISTRATOR as builtin administrators is
not in the token. I presume the PAC came back wrong from the s4 KDC.

I noticed this as it breaks some DRS calls that check for

I guess we're not expanding the group membership right in the kdc

Cheers, Tridge

More information about the samba-technical mailing list