Andrew,
I duplicated the behavior using the information you provided. Thanks! We
confirmed that the observed behavior is expected due to the following logic:
If the user account is a RODC machine account, in which UserAccountControl
flag on the account object has USER_WORKSTATION_TRUST_ACCOUNT |
USER_PARTIAL_SECRETS_ACCOUNT set, the RID
DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS(498) will be
automatically added to SID list for group membership.
We are working on finding the appropriate way to document the behavior in
the future release of the protocol documents.
Thanks!
Hongwei
-----Original Message-----
From: Andrew Bartlett [mailto:[email protected]]
Sent: Tuesday, August 31, 2010 3:51 PM
To: Hongwei Sun
Cc: [email protected]; [email protected]; MSSolve Case Email
Subject: RE: [REG:110081752971983] RE: How to RODCs get their membership of the
ENTERPRISE_RODCs group
On Mon, 2010-08-23 at 23:37 +0000, Hongwei Sun wrote:
> Tridge/Andrew,
>
> I have been testing and debugging the Windows behavior related to
> tokenGroups rootDSE attribute in RODC. It seems that I cannot duplicate what
> you have observed. I have a RODC joined to a domain that has two more
> RWDCs. I got the following output for the rootDSE in RODC object and RootDSE
> when I did a base search to the RODC from another DC in the same domain.
> They don't include RID 498.
>
> Dn: (RootDSE)
> tokenGroups (16):
> S-1-5-21-3071076805-1052773752-2226054901-500;
> S-1-5-21-3071076805-1052773752-2226054901-513;
> S-1-1-0;
> S-1-5-32-544;
> S-1-5-32-545;
> S-1-5-32-574;
> S-1-5-32-554;
> S-1-5-2;
> S-1-5-11;
> S-1-5-15;
> S-1-5-21-3071076805-1052773752-2226054901-512;
> S-1-5-21-3071076805-1052773752-2226054901-520;
> S-1-5-21-3071076805-1052773752-2226054901-519;
> S-1-5-21-3071076805-1052773752-2226054901-518;
> S-1-5-21-3071076805-1052773752-2226054901-1103;
> S-1-5-21-3071076805-1052773752-2226054901-572;
You have connected as the wrong user. We joined a Windows RODC to the domain,
then changed it's password, and ran ldbsearch *as* the RODC, using the password
we set on it's account. You have run the search as administrator, and
natrually returned the tokenGroups for administrator.
> -----------
> ***Searching...
> ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com",
> 0, "(objectclass=*)", attrList, 0, &msg)
> Getting 1 entries:
> Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com
> tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572;
> S-1-5-21-3071076805-1052773752-2226054901-521;
When you connect as the RODC, you should see these SIDs, and the extra
ENTERPRISE_RODCs group in the rootDSE tokenGroups.
I'm sorry I didn't respond earlier - I simply didn't see your mail!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
