'Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get
From:       Andrew Bartlett <abartlet () samba ! org>
Date:       2010-08-31 20:51:11
Message-ID: 1283287871.14424.4010.camel () obed
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

On Mon, 2010-08-23 at 23:37 +0000, Hongwei Sun wrote:
> Tridge/Andrew,
> 
> I have been testing and debugging the Windows behavior related to tokenGroups \
> rootDSE attribute in RODC.  It seems that I cannot duplicate what you have \
> observed.   I have a RODC joined to a domain that has two more RWDCs.  I got the \
> following output for the rootDSE in RODC object and RootDSE when I did a base \
> search to the RODC from another DC in the same domain.  They don't include RID 498. \
>  
> 	Dn: (RootDSE)
> 	tokenGroups (16): 
> 	S-1-5-21-3071076805-1052773752-2226054901-500; 
> 	S-1-5-21-3071076805-1052773752-2226054901-513; 
> 	S-1-1-0; 
> 	S-1-5-32-544; 
> 	S-1-5-32-545; 
> 	S-1-5-32-574; 
> 	S-1-5-32-554; 
> 	S-1-5-2; 
> 	S-1-5-11; 
> 	S-1-5-15; 
> 	S-1-5-21-3071076805-1052773752-2226054901-512; 
> 	S-1-5-21-3071076805-1052773752-2226054901-520; 
> 	S-1-5-21-3071076805-1052773752-2226054901-519; 
> 	S-1-5-21-3071076805-1052773752-2226054901-518; 
> 	S-1-5-21-3071076805-1052773752-2226054901-1103; 
> 	S-1-5-21-3071076805-1052773752-2226054901-572; 

You have connected as the wrong user.  We joined a Windows RODC to the
domain, then changed it's password, and ran ldbsearch *as* the RODC,
using the password we set on it's account.  You have run the search as
administrator, and natrually returned the tokenGroups for
administrator. 

> 	-----------
> 	***Searching...
> 	ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com", 0, \
> "(objectclass=*)", attrList,  0, &msg)  Getting 1 entries:
> 	Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com
> 	tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; \
> S-1-5-21-3071076805-1052773752-2226054901-521; 

When you connect as the RODC, you should see these SIDs, and the extra
ENTERPRISE_RODCs group in the rootDSE tokenGroups.

I'm sorry I didn't respond earlier - I simply didn't see your mail!

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

["signature.asc" (application/pgp-signature)]

_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread] 