Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group
Andrew, I duplicated the behavior using the information you provided. Thanks! We confirmed that the observed behavior is expected due to the following logic: If the user account is a RODC machine account, in which UserAccountControl flag on the account object has USER_WORKSTATION_TRUST_ACCOUNT | USER_PARTIAL_SECRETS_ACCOUNT set, the RID DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS(498) will be automatically added to SID list for group membership. We are working on finding the appropriate way to document the behavior in the future release of the protocol documents. Thanks! Hongwei -Original Message- From: Andrew Bartlett [mailto:abart...@samba.org] Sent: Tuesday, August 31, 2010 3:51 PM To: Hongwei Sun Cc: tri...@samba.org; cifs-proto...@samba.org; MSSolve Case Email Subject: RE: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group On Mon, 2010-08-23 at 23:37 +, Hongwei Sun wrote: Tridge/Andrew, I have been testing and debugging the Windows behavior related to tokenGroups rootDSE attribute in RODC. It seems that I cannot duplicate what you have observed. I have a RODC joined to a domain that has two more RWDCs. I got the following output for the rootDSE in RODC object and RootDSE when I did a base search to the RODC from another DC in the same domain. They don't include RID 498. Dn: (RootDSE) tokenGroups (16): S-1-5-21-3071076805-1052773752-2226054901-500; S-1-5-21-3071076805-1052773752-2226054901-513; S-1-1-0; S-1-5-32-544; S-1-5-32-545; S-1-5-32-574; S-1-5-32-554; S-1-5-2; S-1-5-11; S-1-5-15; S-1-5-21-3071076805-1052773752-2226054901-512; S-1-5-21-3071076805-1052773752-2226054901-520; S-1-5-21-3071076805-1052773752-2226054901-519; S-1-5-21-3071076805-1052773752-2226054901-518; S-1-5-21-3071076805-1052773752-2226054901-1103; S-1-5-21-3071076805-1052773752-2226054901-572; You have connected as the wrong user. We joined a Windows RODC to the domain, then changed it's password, and ran ldbsearch *as* the RODC, using the password we set on it's account. You have run the search as administrator, and natrually returned the tokenGroups for administrator. --- ***Searching... ldap_search_s(ld, CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com, 0, (objectclass=*), attrList, 0, msg) Getting 1 entries: Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; S-1-5-21-3071076805-1052773752-2226054901-521; When you connect as the RODC, you should see these SIDs, and the extra ENTERPRISE_RODCs group in the rootDSE tokenGroups. I'm sorry I didn't respond earlier - I simply didn't see your mail! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group
On Mon, 2010-08-23 at 23:37 +, Hongwei Sun wrote: Tridge/Andrew, I have been testing and debugging the Windows behavior related to tokenGroups rootDSE attribute in RODC. It seems that I cannot duplicate what you have observed. I have a RODC joined to a domain that has two more RWDCs. I got the following output for the rootDSE in RODC object and RootDSE when I did a base search to the RODC from another DC in the same domain. They don't include RID 498. Dn: (RootDSE) tokenGroups (16): S-1-5-21-3071076805-1052773752-2226054901-500; S-1-5-21-3071076805-1052773752-2226054901-513; S-1-1-0; S-1-5-32-544; S-1-5-32-545; S-1-5-32-574; S-1-5-32-554; S-1-5-2; S-1-5-11; S-1-5-15; S-1-5-21-3071076805-1052773752-2226054901-512; S-1-5-21-3071076805-1052773752-2226054901-520; S-1-5-21-3071076805-1052773752-2226054901-519; S-1-5-21-3071076805-1052773752-2226054901-518; S-1-5-21-3071076805-1052773752-2226054901-1103; S-1-5-21-3071076805-1052773752-2226054901-572; You have connected as the wrong user. We joined a Windows RODC to the domain, then changed it's password, and ran ldbsearch *as* the RODC, using the password we set on it's account. You have run the search as administrator, and natrually returned the tokenGroups for administrator. --- ***Searching... ldap_search_s(ld, CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com, 0, (objectclass=*), attrList, 0, msg) Getting 1 entries: Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; S-1-5-21-3071076805-1052773752-2226054901-521; When you connect as the RODC, you should see these SIDs, and the extra ENTERPRISE_RODCs group in the rootDSE tokenGroups. I'm sorry I didn't respond earlier - I simply didn't see your mail! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group
Tridge/Andrew, Have you got a chance to take a look at this ? If you can send a confirmation and some information , then I can continue to work on it. I understand that you are probably busy with preparing for IO Lab. If you prefer to work on this together during IO Lab, I am fine with that too. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Monday, August 23, 2010 6:37 PM To: 'tri...@samba.org' Cc: Andrew Bartlett; cifs-proto...@samba.org; MSSolve Case Email Subject: RE: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group Tridge/Andrew, I have been testing and debugging the Windows behavior related to tokenGroups rootDSE attribute in RODC. It seems that I cannot duplicate what you have observed. I have a RODC joined to a domain that has two more RWDCs. I got the following output for the rootDSE in RODC object and RootDSE when I did a base search to the RODC from another DC in the same domain. They don't include RID 498. Dn: (RootDSE) tokenGroups (16): S-1-5-21-3071076805-1052773752-2226054901-500; S-1-5-21-3071076805-1052773752-2226054901-513; S-1-1-0; S-1-5-32-544; S-1-5-32-545; S-1-5-32-574; S-1-5-32-554; S-1-5-2; S-1-5-11; S-1-5-15; S-1-5-21-3071076805-1052773752-2226054901-512; S-1-5-21-3071076805-1052773752-2226054901-520; S-1-5-21-3071076805-1052773752-2226054901-519; S-1-5-21-3071076805-1052773752-2226054901-518; S-1-5-21-3071076805-1052773752-2226054901-1103; S-1-5-21-3071076805-1052773752-2226054901-572; --- ***Searching... ldap_search_s(ld, CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com, 0, (objectclass=*), attrList, 0, msg) Getting 1 entries: Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; S-1-5-21-3071076805-1052773752-2226054901-521; I am wondering what the difference is between your environment and my repro. Andrew mentioned that However, it does show up in the tokenGroups in the rootDSE, if we connect *as* the RODC. Does that mean Samba DC is connected as a RODC ? Thanks! Hongwei -Original Message- From: tri...@samba.org [mailto:tri...@samba.org] Sent: Tuesday, August 17, 2010 7:30 PM To: Hongwei Sun Cc: Andrew Bartlett; cifs-proto...@samba.org; MSSolve Case Email Subject: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group Hi Hongwei, You mentioned that all the documentation talks about RODCs being a member of the enterprise read only domain controller group, which has a RID of 498. What part of the document do you refer to ? See for example [MS-DRSR] 4.1.10.5.12 which has this: * 1. Caller is an RODC. An RODC will always be a member of * Enterprise Read-Only Domain Controllers (RID 498) Should I take the question as why tokenGroups of rootDSE has 498 but the tokenGroups of RODC account doesn't have it ? that is one way to look at it. We can see via tokenGroups that RODCs are a member of both the group with RID 498 and the group with RID 521. Normally a user becomes a member of a group in one of three ways. 1) via it being the primaryGroupID of the user 2) via a member attribute on a group (or equivalently via a memberOf back link) 3) via some special handling that adds things like anonymous or world or other special groups We suspect that RODCs being a member of 498 is due to something in the special handling category, but we'd like to know what the nature of that special handling is. For example, is it something as simple as when constructing the token for a user, always add RID 498 if they have RID 521 in their token from the same domain. Where things may get tricky is in the inter-domain (eg. forest) handling. We'd like to make sure we get this right, or at least understand how we're getting it wrong :-) Cheers, Tridge ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group
Tridge/Andrew, I have been testing and debugging the Windows behavior related to tokenGroups rootDSE attribute in RODC. It seems that I cannot duplicate what you have observed. I have a RODC joined to a domain that has two more RWDCs. I got the following output for the rootDSE in RODC object and RootDSE when I did a base search to the RODC from another DC in the same domain. They don't include RID 498. Dn: (RootDSE) tokenGroups (16): S-1-5-21-3071076805-1052773752-2226054901-500; S-1-5-21-3071076805-1052773752-2226054901-513; S-1-1-0; S-1-5-32-544; S-1-5-32-545; S-1-5-32-574; S-1-5-32-554; S-1-5-2; S-1-5-11; S-1-5-15; S-1-5-21-3071076805-1052773752-2226054901-512; S-1-5-21-3071076805-1052773752-2226054901-520; S-1-5-21-3071076805-1052773752-2226054901-519; S-1-5-21-3071076805-1052773752-2226054901-518; S-1-5-21-3071076805-1052773752-2226054901-1103; S-1-5-21-3071076805-1052773752-2226054901-572; --- ***Searching... ldap_search_s(ld, CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com, 0, (objectclass=*), attrList, 0, msg) Getting 1 entries: Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; S-1-5-21-3071076805-1052773752-2226054901-521; I am wondering what the difference is between your environment and my repro. Andrew mentioned that However, it does show up in the tokenGroups in the rootDSE, if we connect *as* the RODC. Does that mean Samba DC is connected as a RODC ? Thanks! Hongwei -Original Message- From: tri...@samba.org [mailto:tri...@samba.org] Sent: Tuesday, August 17, 2010 7:30 PM To: Hongwei Sun Cc: Andrew Bartlett; cifs-proto...@samba.org; MSSolve Case Email Subject: [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group Hi Hongwei, You mentioned that all the documentation talks about RODCs being a member of the enterprise read only domain controller group, which has a RID of 498. What part of the document do you refer to ? See for example [MS-DRSR] 4.1.10.5.12 which has this: * 1. Caller is an RODC. An RODC will always be a member of * Enterprise Read-Only Domain Controllers (RID 498) Should I take the question as why tokenGroups of rootDSE has 498 but the tokenGroups of RODC account doesn't have it ? that is one way to look at it. We can see via tokenGroups that RODCs are a member of both the group with RID 498 and the group with RID 521. Normally a user becomes a member of a group in one of three ways. 1) via it being the primaryGroupID of the user 2) via a member attribute on a group (or equivalently via a memberOf back link) 3) via some special handling that adds things like anonymous or world or other special groups We suspect that RODCs being a member of 498 is due to something in the special handling category, but we'd like to know what the nature of that special handling is. For example, is it something as simple as when constructing the token for a user, always add RID 498 if they have RID 521 in their token from the same domain. Where things may get tricky is in the inter-domain (eg. forest) handling. We'd like to make sure we get this right, or at least understand how we're getting it wrong :-) Cheers, Tridge ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] [REG:110081752971983] RE: How to RODCs get their membership of the ENTERPRISE_RODCs group
Hi Hongwei, You mentioned that all the documentation talks about RODCs being a member of the enterprise read only domain controller group, which has a RID of 498. What part of the document do you refer to ? See for example [MS-DRSR] 4.1.10.5.12 which has this: * 1. Caller is an RODC. An RODC will always be a member of * Enterprise Read-Only Domain Controllers (RID 498) Should I take the question as why tokenGroups of rootDSE has 498 but the tokenGroups of RODC account doesn't have it ? that is one way to look at it. We can see via tokenGroups that RODCs are a member of both the group with RID 498 and the group with RID 521. Normally a user becomes a member of a group in one of three ways. 1) via it being the primaryGroupID of the user 2) via a member attribute on a group (or equivalently via a memberOf back link) 3) via some special handling that adds things like anonymous or world or other special groups We suspect that RODCs being a member of 498 is due to something in the special handling category, but we'd like to know what the nature of that special handling is. For example, is it something as simple as when constructing the token for a user, always add RID 498 if they have RID 521 in their token from the same domain. Where things may get tricky is in the inter-domain (eg. forest) handling. We'd like to make sure we get this right, or at least understand how we're getting it wrong :-) Cheers, Tridge ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol