4

I am accessing a remote server with Java. The server runs Microsoft Windows and provides an Active Directory as well as a file system share. I read users and groups from the Active Directory via JNDI, which works great. I get all user attributes like distinguishedName, objectSid and so on.

My Java program also connects to a Windows share on the same server, using Java 7 and NIO.2. I can read the remote file system and get information about it. I can also read file permission settings like this:

    import java.nio.file.Files;
    import java.nio.file.attribute.AclEntry;
    import java.nio.file.attribute.AclFileAttributeView;
    import java.nio.file.attribute.UserPrincipal;

    [...]

    AclFileAttributeView aclView = Files.getFileAttributeView(path, AclFileAttributeView.class);

    for (AclEntry aclEntry : aclView.getAcl()) {
        UserPrincipal principal = aclEntry.principal();
        [...]
    }

This way I get access rights for a UserPrincipal object. This class only provides a method getName() which returns some name or sometimes an SID.

For actual users the UserPrincipal object returns an SID which I can use to find the corresponding user in the Active Directory. However, if UserPrincipal represents a group, getName() just returns a text like for example "VORDEFINIERT\Administratoren".

I could not find a way to map this text to a group defined in the Active Directory. The corresponding group in AD has this distinguishedName property: CN=Administratoren,CN=Builtin,DC=mydomain,DC=com.

Both the machine where the Java program runs and the server are running a German version of Windows. It's strange that AD returns CN=Builtin (English) but the file system returns a group name with a German translation VORDEFINIERT. If both would be e.g. Builtin I could probably parse the UserPrincipal and find out what the distinguishedName of the AD object should be... however, this approach does not seem to be very reliable.

I'd really like to be able to read the SID of all UserPrincipal objects so that I can find the corresponding user or group in AD.

Is there a way to do this? Please let me know if you need more information.

Best regards, sky

Sky
  • 674
  • 8
  • 22

1 Answers1

4

I continued researching this problem and found a solution:

In this case (accessing a Windows share) the objects returned by aclEntry.principal() are actually of class WindowsUserPrincipals.Group or WindowsUserPrincipals.User. UserPrincipal is an interface implemented by WindowsUserPrincipals.User. And WindowsUserPrincipals.Group is a subclass of WindowsUserPrincipals.User.

Class sun.nio.fs.WindowsUserPrincipals is not public, so it can't be accessed directly. But I saw that the inner class WindowsUserPrincipals.User contains exactly the SID which I have been looking for. It is in a private field called sidString.

So my solution is to check if the returned UserPrincipal is a WindowsUserPrincipal and if yes, use reflection to read the value of field sidString.

It works and can be written in a reliable way, however, it is not a really super nice solution because I had to use reflection. But I did not find an easier way to access or get the SID.

Please still answer this question if you know better ways to read the SID. Thank you.

Sky
  • 674
  • 8
  • 22
  • Hi Sky! I am reserching approach to implement something similar what you did and I wonder if your implementation is still alive after 2 years? Maybe you found more reliable way to match AD users/groups with users/groups from AclFileAttributeView? – Volodymyr Krupach Oct 15 '15 at 16:08
  • 1
    @VolodymyrKrupach Yes, it was working reliably and has been used in an production environment for about 2 years now without issues. Seen that it worked well and that I didn't get any further input, I didn't research the topic any further and therefore didn't find any other ways to do that. – Sky Oct 17 '15 at 11:47