[PR PATCH] idmap_rid: default group always set to "Domain Users"
Isaac Boukris
iboukris at gmail.com
Wed Apr 18 09:12:51 UTC 2018
On Wed, Apr 18, 2018 at 11:41 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Wed, Apr 18, 2018 at 09:52:36AM +0300, Isaac Boukris wrote:
>> > wbint_QueryUser would have to use samr. This can at best (if at all)
>> > with the domain we're member of. And even that is something we need to
>> > get rid of. Without a samlogon cache entry there is just no reliable
>> > way to get that done. The only way out is (I believe) a s4u2self
>>
>>
>> I am curious what samr-rpc you are referring to, that could resolve
>> user's sids in local domain.
>> The one I can see, queryusergroups, doesn't seem to provide nesting
>> group, only direct membership, like:
>> # rpcclient -UAdministrator wdc.acme.com -c 'queryusergroups 1105'
>
> Also look at queryuseraliases, expanding to
> https://msdn.microsoft.com/en-us/library/cc245816.aspx
Thanks, from this doc it sounds that queryuseraliases also doesn't
provide nesting groups, quote:
"For each SID value in SidArray, the server MUST determine the union
of all database objects in the domain referenced by
DomainHandle.Object with class group and groupType
GROUP_TYPE_SECURITY_RESOURCE whose member value contains the SID"
Trying to run the rpcclient command fails, but maybe i'm missing something:
# rpcclient -P wdc.acme.com -c 'queryuseraliases ACME.COM
S-1-5-21-9281652-3921847615-585208160-1105'
result was NT_STATUS_INVALID_PARAMETER
More information about the samba-technical
mailing list