We are working on having Samba support having Win2k8 servers as read only domain controller in the Samba4 domain.
We noticed that RODCs are given primaryGroupID of 521 - the RODC group for the local domain. This happens when they join over LDAP (we can't find the documentation for this either, but it's clear from our testing). However, all the documentation talks about RODCs being a member of the enterprise read only domain controller group - which has a RID of 498. How is the 498 implied from the 521? There isn't a member link between the groups for example. Is it simply linked during token construction somehow? It also does not appear in the tokenGroups of the RODC account over LDAP (as found in a base search on the RODC object). tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572 tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-521 However, it does show up in the tokenGroups in the rootDSE, if we connect *as* the RODC tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-1116 tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-521 tokenGroups: S-1-1-0 tokenGroups: S-1-5-32-554 tokenGroups: S-1-5-32-545 tokenGroups: S-1-5-2 tokenGroups: S-1-5-11 tokenGroups: S-1-5-15 tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-498 tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572 tokenGroups: S-1-5-64-10 Can you please explain how we are meant to get from one to the other? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
