Large Change - Domain Trusts and Foreign Security Principal

[adeutscher]

Make a way to handle lookups over domain trusts. A cross-domain user over a trust has their SID stored in a Foreign Security Principal object in the local domain. It seems to be the responsibility of the machine doing the lookups to bind out to a controller on the remote domain and get further information.

Requirements:

• The ObjectSID property is stored in AD as a base64-encoded binary string. I need to learn to translate plaintext SIDs to binary, and vice versa. It's possible to go through a 3rd party library like pywin32. However, with resources like SelfADSI I'd rather learn to do this one thing manually in order to avoid adding a whole other dependency.
• Overhaul the structure of the configuration file to allow for multiple domains (or at least "secondary" domains). Other domains might have different schemas, but it could cut down on redundant configuration (at the cost of added complexity) to designate a primary domain that will hold default schema settings.
• Detect when we're being given a SID as our CN (would just regexing it be sufficient, to cut down on queries?), and give lookup methods the capability to hunt down and get the information from the actual object in the remote domain. This should be an optional feature, with a config setting or a switch argument.
• Confirm how much non-AD LDAP implementations use trusts.

[adeutscher]

Reflected a bit on this issue.

I think that the tidiest thing would probably be to implement a new class that will implement DirectoryTools instances as needed. This will be a world easier than editing the DirectoryTools class itself.

[adeutscher]

More reflection:

Trust relationships more of an edge case. Users would likely be working in one domain (making this issue moot), or perhaps in a forest (enabling Global Catalog).

If there are two domains joined by a trust with one group composed of users from multiple domains, we don't need to hold the script author's hand all the way using DirectoryTools methods to manage the entire trust structure. However, we do need to provide a technique to use basic methods to identify a Foreign Security Principal object.

With this approach, we would still need:

• A method for translating a text SID to a base64-encoded binary SID.
• A method for resolving a user's SID to their DN.

Using these methods, a user could get the users in a group by their DN, and check whether a DN represents a foreign security principal (likely through the first section of their DN matching the format of an SID). If it is, they'd take a look at the domain-identifying section of the SID. They would then look up the domain in a dictionary of spare DirectoryTools objects tuned to these trust domains.

One way or the other, each DirectoryTools config would need a proxy account that was allowed to look through the target domain.