Are there any command line options available to know the (user)account type?
hemanth.thummala at nutanix.com
Fri Feb 16 19:30:31 UTC 2018
Yes. Looks like DC only returning the type as user SID.
Wondering when the DC can return type as “SidTypeComputer” if not for the machine account names.
On 16/02/18, 11:17 AM, "Jeremy Allison" <jra at samba.org> wrote:
On Fri, Feb 16, 2018 at 06:34:13AM +0000, Hemanth Thummala via samba-technical wrote:
>We are actually looking for a command line option to know if a specific AD user is actually of type “user” or “computer(machine)” account.
>Existing wbinfo –n or –i (user info) commands which internally doing lsalookupnames()/lsalookupsids() seems to be always returning the Lsa_SidType as User for machine accounts too.
>For example, user lookup for a machine account showing the type as USER SID.
>$sudo wbinfo -n win-clinet2$
>S-1-5-21-2181377586-1363663071-3087203698-1001 SID_USER (1)
>There is SID type called “SidTypeComputer” available in enum of Lsa_SidType. But this doesn’t seems to be returned even when the lookup is done for machine account names. Looks like they are being treated as users in this context. I believe this is retuned by AD server. Couldn’t verify the trace as the response was encrypted. Would like to know if this is the expected SID type for machine accounts.
>Looks like only “SamAccountType” attribute can authoritatively say if the requested account is of type user or computer account. I could achieve this using ldapsearch command.
>I would like to know if there are any winbindd or wbinfo commands available which could give the authoritative response for user type. Please let me know.
Hmmm. wbinfo is just returning the 'type' field
subreq = dcerpc_wbint_LookupName_send(
state, ev, dom_child_handle(domain),
flags, &state->type, &state->sid);
(the &state->type return) - which it gets back
from the DC. Is the DC correctly returning the
SidTypeComputer type ? I don't see any mapping
being done internally.
More information about the samba-technical