[PR PATCH] idmap_rid: default group always set to "Domain Users"

Isaac Boukris iboukris at gmail.com
Wed Apr 18 09:12:51 UTC 2018

On Wed, Apr 18, 2018 at 11:41 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Wed, Apr 18, 2018 at 09:52:36AM +0300, Isaac Boukris wrote:
>> > wbint_QueryUser would have to use samr. This can at best (if at all)
>> > with the domain we're member of. And even that is something we need to
>> > get rid of. Without a samlogon cache entry there is just no reliable
>> > way to get that done. The only way out is (I believe) a s4u2self
>> I am curious what samr-rpc you are referring to, that could resolve
>> user's sids in local domain.
>> The one I can see, queryusergroups, doesn't seem to provide nesting
>> group, only direct membership, like:
>> # rpcclient -UAdministrator wdc.acme.com -c 'queryusergroups 1105'
> Also look at queryuseraliases, expanding to
> https://msdn.microsoft.com/en-us/library/cc245816.aspx

Thanks, from this doc it sounds that queryuseraliases also doesn't
provide nesting groups, quote:
"For each SID value in SidArray, the server MUST determine the union
of all database objects in the domain referenced by
DomainHandle.Object with class group and groupType
GROUP_TYPE_SECURITY_RESOURCE whose member value contains the SID"

Trying to run the rpcclient command fails, but maybe i'm missing something:
# rpcclient -P wdc.acme.com -c 'queryuseraliases ACME.COM

More information about the samba-technical mailing list