Group membership in AD
The User token and Group memberships in AD
All users accessing a Samba server, indeed any server or service in an AD domain, have a list of groups associated with them. This is often referred to as the Kerberos PAC, which is actually the surrounding structure encrypted and signed within a Kerberos ticket. The user group information is in that ticket, but not trivially accessible.
Group membership in AD is recursive, and group-based
Most users in an AD will have a number of attribute values describing the groups they are a member of. These are
However, this is not the total group membership, because those groups are also members of other groups.
This can be discovered by recursion, but this is slow and may be error-prone if the domain is part of a larger forest or there are inter-forest trusts.
Finally, it should of course be remembered that the group membership is actually controlled by the member attribute on the groups, and the primaryGroupID attribute on the user, not the memberOf backlink. Only the member attributes are available for modification.
Accessing the final group membership
tokenGroups is an operational (that is, calculated and hidden) LDAP attribute. It is present both on an individual user (accessible by other users, eg a service account or administrator account) and on the rootDSE for the current user.
ldbsearch for the tokenGroups attribute on authenticated connection
To confirm the final group membership of a the current user, run:
ldbsearch -H ldap://$SERVER -s base -b "" tokenGroups -U$USERNAME
This will give an output like this:
# record 1 dn: tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-500 tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-513 tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-512 tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-572 tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-518 tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-519 tokenGroups: S-1-5-21-4023018537-2373006774-1847616786-520 tokenGroups: S-1-1-0 tokenGroups: S-1-5-2 tokenGroups: S-1-5-11 tokenGroups: S-1-5-32-544 tokenGroups: S-1-5-32-545 tokenGroups: S-1-5-32-554
If you know the USER's SID, then if winbindd knows the group mebership (ie, there has been a login previously, either over NTLM/Kerberos to smbd, or wbinfo -a, you can obtain the same SID list with (eg):
S-1-5-21-4023018537-2373006774-1847616786-500 S-1-5-21-4023018537-2373006774-1847616786-513 S-1-5-21-4023018537-2373006774-1847616786-519 S-1-5-21-4023018537-2373006774-1847616786-520 S-1-5-21-4023018537-2373006774-1847616786-518 S-1-5-21-4023018537-2373006774-1847616786-512 S-1-5-21-4023018537-2373006774-1847616786-572 S-1-5-32-544 S-1-5-32-545