Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

Andrew Bartlett Tue, 31 Aug 2010 13:51:22 -0700

On Mon, 2010-08-23 at 23:37 +0000, Hongwei Sun wrote:
> Tridge/Andrew,
> 
>    I have been testing and debugging the Windows behavior related to 
> tokenGroups rootDSE attribute in RODC.  It seems that I cannot duplicate what 
> you have observed.   I have a RODC joined to a domain that has two more 
> RWDCs.  I got the following output for the rootDSE in RODC object and RootDSE 
> when I did a base search to the RODC from another DC in the same domain.  
> They don't include RID 498.  
> 
>       Dn: (RootDSE)
>       tokenGroups (16): 
>       S-1-5-21-3071076805-1052773752-2226054901-500; 
>       S-1-5-21-3071076805-1052773752-2226054901-513; 
>       S-1-1-0; 
>       S-1-5-32-544; 
>       S-1-5-32-545; 
>       S-1-5-32-574; 
>       S-1-5-32-554; 
>       S-1-5-2; 
>       S-1-5-11; 
>       S-1-5-15; 
>       S-1-5-21-3071076805-1052773752-2226054901-512; 
>       S-1-5-21-3071076805-1052773752-2226054901-520; 
>       S-1-5-21-3071076805-1052773752-2226054901-519; 
>       S-1-5-21-3071076805-1052773752-2226054901-518; 
>       S-1-5-21-3071076805-1052773752-2226054901-1103; 
>       S-1-5-21-3071076805-1052773752-2226054901-572;


You have connected as the wrong user.  We joined a Windows RODC to the
domain, then changed it's password, and ran ldbsearch *as* the RODC,
using the password we set on it's account.  You have run the search as
administrator, and natrually returned the tokenGroups for
administrator. 

>       -----------
>       ***Searching...
>       ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com", 
> 0, "(objectclass=*)", attrList,  0, &msg)
>       Getting 1 entries:
>       Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com
>       tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; 
> S-1-5-21-3071076805-1052773752-2226054901-521; 

When you connect as the RODC, you should see these SIDs, and the extra
ENTERPRISE_RODCs group in the rootDSE tokenGroups.

I'm sorry I didn't respond earlier - I simply didn't see your mail!

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

signature.asc
Description: This is a digitally signed message part

_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group

Reply via email to