[PR PATCH] idmap_rid: default group always set to "Domain Users"

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Apr 18 08:41:37 UTC 2018

On Wed, Apr 18, 2018 at 09:52:36AM +0300, Isaac Boukris wrote:
> > wbint_QueryUser would have to use samr. This can at best (if at all)
> > with the domain we're member of. And even that is something we need to
> > get rid of. Without a samlogon cache entry there is just no reliable
> > way to get that done. The only way out is (I believe) a s4u2self
> I am curious what samr-rpc you are referring to, that could resolve
> user's sids in local domain.
> The one I can see, queryusergroups, doesn't seem to provide nesting
> group, only direct membership, like:
> # rpcclient -UAdministrator wdc.acme.com -c 'queryusergroups 1105'

Also look at queryuseraliases, expanding to

> If there is a way to get group membership via rpc without auth, it may
> have some advantage over krb5 which requires the client to talk to all
> the DCs.

Sure. If you know how that works anymously, I would be more than happy
to hear about it. Samba has been struggling with this for at least 10
years, and you with some fresh ideas might solve this gordian knot in
an instant! Please tell us when you're done!

Thanks a lot for your thought,


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list