[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:110081752971983] RE: How to RODCs get
From: Andrew Bartlett <abartlet () samba ! org>
Date: 2010-08-31 20:51:11
Message-ID: 1283287871.14424.4010.camel () obed
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Mon, 2010-08-23 at 23:37 +0000, Hongwei Sun wrote:
> Tridge/Andrew,
>
> I have been testing and debugging the Windows behavior related to tokenGroups \
> rootDSE attribute in RODC. It seems that I cannot duplicate what you have \
> observed. I have a RODC joined to a domain that has two more RWDCs. I got the \
> following output for the rootDSE in RODC object and RootDSE when I did a base \
> search to the RODC from another DC in the same domain. They don't include RID 498. \
>
> Dn: (RootDSE)
> tokenGroups (16):
> S-1-5-21-3071076805-1052773752-2226054901-500;
> S-1-5-21-3071076805-1052773752-2226054901-513;
> S-1-1-0;
> S-1-5-32-544;
> S-1-5-32-545;
> S-1-5-32-574;
> S-1-5-32-554;
> S-1-5-2;
> S-1-5-11;
> S-1-5-15;
> S-1-5-21-3071076805-1052773752-2226054901-512;
> S-1-5-21-3071076805-1052773752-2226054901-520;
> S-1-5-21-3071076805-1052773752-2226054901-519;
> S-1-5-21-3071076805-1052773752-2226054901-518;
> S-1-5-21-3071076805-1052773752-2226054901-1103;
> S-1-5-21-3071076805-1052773752-2226054901-572;
You have connected as the wrong user. We joined a Windows RODC to the
domain, then changed it's password, and ran ldbsearch *as* the RODC,
using the password we set on it's account. You have run the search as
administrator, and natrually returned the tokenGroups for
administrator.
> -----------
> ***Searching...
> ldap_search_s(ld, "CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com", 0, \
> "(objectclass=*)", attrList, 0, &msg) Getting 1 entries:
> Dn: CN=RODC01,OU=Domain Controllers,DC=contoso,DC=com
> tokenGroups (2): S-1-5-21-3071076805-1052773752-2226054901-572; \
> S-1-5-21-3071076805-1052773752-2226054901-521;
When you connect as the RODC, you should see these SIDs, and the extra
ENTERPRISE_RODCs group in the rootDSE tokenGroups.
I'm sorry I didn't respond earlier - I simply didn't see your mail!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
["signature.asc" (application/pgp-signature)]
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic