Andrew,
You mentioned that all the documentation talks about RODCs being a member of
the enterprise read only domain controller group, which has a RID of 498. What
part of the document do you refer to ?
In MS-ADTS 7.1.1.3.2 "Read-Only Domain Controller Object", there is the
following statement:
PrimaryGroupID: Contains the value 521.
This attribute is populated during creation of the RODC corresponding
to the RODC object. The primary group of an RODC object is the domain
relative well-known RODCs security group. So the primaryGroupID attribute of an
RODC object equals the RID of the RODCs security group, 521.
It looks like that this is an expected behavior based on this statement.
Should I take the question as why tokenGroups of rootDSE has 498 but the
tokenGroups of RODC account doesn't have it ?
Thanks!
Hongwei
-----Original Message-----
From: Andrew Bartlett [mailto:abart...@samba.org]
Sent: Tuesday, August 17, 2010 12:22 AM
To: Interoperability Documentation Help
Cc: tri...@samba.org; cifs-proto...@samba.org
Subject: How to RODCs get their membership of the ENTERPRISE_RODCs group
We are working on having Samba support having Win2k8 servers as read only
domain controller in the Samba4 domain.
We noticed that RODCs are given primaryGroupID of 521 - the RODC group for the
local domain. This happens when they join over LDAP (we can't find the
documentation for this either, but it's clear from our testing).
However, all the documentation talks about RODCs being a member of the
enterprise read only domain controller group - which has a RID of 498.
How is the 498 implied from the 521? There isn't a member link between the
groups for example. Is it simply linked during token construction somehow? It
also does not appear in the tokenGroups of the RODC account over LDAP (as found
in a base search on the RODC object).
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-521
However, it does show up in the tokenGroups in the rootDSE, if we connect *as*
the RODC
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-1116
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-521
tokenGroups: S-1-1-0
tokenGroups: S-1-5-32-554
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-2
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-498
tokenGroups: S-1-5-21-3565189888-2228146013-2029845409-572
tokenGroups: S-1-5-64-10
Can you please explain how we are meant to get from one to the other?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
