On Mon, 2010-08-23 at 23:37 +0000, Hongwei Sun wrote: > Tridge/Andrew, > > I have been testing and debugging the Windows behavior related to > tokenGroups rootDSE attribute in RODC. It seems that I cannot duplicate what > you have observed. I have a RODC joined to a domain that has two more > RWDCs. I got the following output for the rootDSE in RODC object and RootDSE > when I did a base search to the RODC from another DC in the same domain. > They don't include RID 498. > > Dn: (RootDSE) > tokenGroups (16): > S-1-5-21-3071076805-1052773752-2226054901-500; > S-1-5-21-3071076805-1052773752-2226054901-513; > S-1-1-0; > S-1-5-32-544; > S-1-5-32-545; > S-1-5-32-574; > S-1-5-32-554; > S-1-5-2; > S-1-5-11; > S-1-5-15; > S-1-5-21-3071076805-1052773752-2226054901-512; > S-1-5-21-3071076805-1052773752-2226054901-520; > S-1-5-21-3071076805-1052773752-2226054901-519; > S-1-5-21-3071076805-1052773752-2226054901-518; > S-1-5-21-3071076805-1052773752-2226054901-1103; > S-1-5-21-3071076805-1052773752-2226054901-572;
You have connected as the wrong user. We joined a Windows RODC to the domain, then changed it's password, and ran ldbsearch *as* the RODC, using the password we set on it's account. You have run the search as administrator, and natrually returned the tokenGroups for administrator. > ----------- > ***Searching... > ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com", > 0, "(objectclass=*)", attrList, 0, &msg) > Getting 1 entries: > Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com > tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; > S-1-5-21-3071076805-1052773752-2226054901-521; When you connect as the RODC, you should see these SIDs, and the extra ENTERPRISE_RODCs group in the rootDSE tokenGroups. I'm sorry I didn't respond earlier - I simply didn't see your mail! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol