On Mon, 30 Jun 2025 14:25:55 +0200
Simon FONTENEAU via samba <samba at lists.samba.org> wrote:
> Hi all,
>
> I?d like to ask if it would be possible to add support for the
> msDS-TokenGroupNames attribute in Samba.
>
> For context: I'm currently working with a large-scale *Microsoft
> Active Directory* environment, and a Microsoft engineer recommended
> using this attribute to retrieve all nested group memberships for a
> user, as it's the most performant option ? even better than
> tokenGroups.
>
> Initially, I tried using the following query:
>
> (member:1.2.840.113556.1.4.1941:=<dn_of_user>)
>
> But performance was clearly not acceptable in our setup.
>
> However, I noticed that msDS-TokenGroupNames is not currently
> populated in Samba. (My application must be able to work with both
> samba and microsoft.)
>
> From what I can tell, the relevant code area might be here:
>
https://github.com/samba-team/samba/blob/5b9492ada40352213448a5050a187948c9d72ebc/source4/dsdb/samdb/ldb_modules/operational.c#L342
>
> Would it be feasible to implement support for this attribute? Or is
> there a technical limitation I?m missing?
>
> Simon
Seeing as how msDS-TokenGroupNames only became available with Windows
2016 and Samba has only just got to 2016, it is highly likely that
there isn't any code available for the constructed attribute, so
someone will have to write it. HINT, HINT
Rowland