Hi Stefan, I am looking into this and will update you on my progress.
Best regards, Edgar A. Olougouna Sr. SEE, Microsoft DSC Protocol Team -----Original Message----- From: Stefan (metze) Metzmacher [mailto:[email protected]] Sent: Thursday, November 12, 2009 7:47 AM To: Interoperability Documentation Help; [email protected]; [email protected] Subject: How to get the expanded group memberships for a user Hi, I'm trying to solve the following problem: COMPUTERS-DOM has an outgoing forest trust to USERS-DOM. Samba as a member server in COMPUTERS-DOM want to get fully expanded group memberships of user USERS-DOM\Administrator without knowing the password of USERS-DOM\Administrator. (The best would be to get the whole PAC structure, which we're getting if the user is authenticated via KRB5 of netr_LogonSamLogon). With a 2-way forest trust that's no problem. Samba can ask a DC of COMPUTER-DOM via LookupNames about the SID of USERS-DOM\Administrator. Then Samba can use it's machine account and ask a DC of USERS-DOM via LDAP about the tokenGroups of the user (That's how Samba currently work). The second way would be to use S4U2Self to get the PAC via a Krb5 Ticket. But with a one-way trust only the LookupNames works, as the DC of COMPUTER-DOM will proxy the request to a DC of USERS-DOM using the trust account. But Samba can't directly talk to a DC of USERS-DOM using it's machine account. So both LDAP and S4U2Self won't work. I just found that DRSGetMemberships can also get the users groups. I hoped that it would behave like LookupNames and would be proxied by the DC of COMPUTER-DOM to a DC of USERS-DOM. But I'm unable to trigger this. Is that by design or am I doing something wrong (DRSGetMemberships works fine for the SID of COMPUTER-DOM\Administrator)? Is there any other way to solve this Problem? metze _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
