Group membership in AD

From SambaWiki
Revision as of 04:58, 23 April 2020 by Abartlet (talk | contribs) (How to obtain user SIDs (final tokens))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The User token and Group memberships in AD

All users accessing a Samba server, indeed any server or service in an AD domain, have a list of groups associated with them. This is often referred to as the Kerberos PAC, which is actually the surrounding structure encrypted and signed within a Kerberos ticket. The user group information is in that ticket, but not trivially accessible.

Group membership in AD is recursive, and group-based

Most users in an AD will have a number of attribute values describing the groups they are a member of. These are




However, this is not the total group membership, because those groups are also members of other groups.

This can be discovered by recursion, but this is slow and may be error-prone if the domain is part of a larger forest or there are inter-forest trusts.

Finally, it should of course be remembered that the group membership is actually controlled by the member attribute on the groups, and the primaryGroupID attribute on the user, not the memberOf backlink. Only the member attributes are available for modification.

Accessing the final group membership

tokenGroups is an operational (that is, calculated and hidden) LDAP attribute. It is present both on an individual user (accessible by other users, eg a service account or administrator account) and on the rootDSE for the current user.

ldbsearch for the tokenGroups attribute on authenticated connection

To confirm the final group membership of a the current user, run:

ldbsearch -H ldap://$SERVER -s base -b "" tokenGroups -U$USERNAME

This will give an output like this:

# record 1
tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-500
tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-513
tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-512
tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-572 
tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-518
tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-519
tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-520
tokenGroups: S-1-1-0
tokenGroups: S-1-5-2
tokenGroups: S-1-5-11
tokenGroups: S-1-5-32-544
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-32-554

wbinfo --user-sids

If you know the USER's SID, then if winbindd knows the group mebership (ie, there has been a login previously, either over NTLM/Kerberos to smbd, or wbinfo -a, you can obtain the same SID list with (eg):

wbinfo --user-sids=S-1-5-21-4023018537-2373006774-1847616786-500