[jcifs] Re: SID.getXxxName returns empty string if account deleted

Michael B Allen mba2000 at ioplex.com
Mon Dec 4 19:40:32 GMT 2006

On Mon, 04 Dec 2006 13:43:34 -0500
Jake Goulding <goulding at vivisimo.com> wrote:

> Seems reasonable, but will there be a way to tell if the SID could be 
> resolved?
> If the SID is resolvable, I would prefer to use the domain\user format, 
> but if it is not resolvable, the full SID would be most useful. If the 
> getXxxName always returns a string, how can I tell which case has occurred?

SID.toString() should do what you want. If the resolution was successful
you'll get DOMAIN\user (or just 'user' for builtin names like SYSTEM). If
it was not successful it should return the full S-X-Y-Z string. I thought
it did that now actually. I'll double check.

Regardless, getType() can be used to determine if the SID was resolved. I'm
not sure what values it would return. That would require some
experimentation. But again, you shouldn't need it. Just use toString().

At least that's the way I think it should work. This is just as new
to me as it is to you. If you're thinking we should do something else,
let me know.

Generally the idea is to mimic the behavior of the Windows ACL
editor. Actually I think toString() should be able to return *exactly*
what we see in the ACL editor.

> Michael B Allen wrote:
> > Is getAccountName, getDomainName or toString returning null? I don't
> > think they should. I think I should change the SID class behavior to do the
> > following depending on whether or not the SID was successfully resolved:
> >
> > toString:
> >     resolved:
> >         Return a suitable display name
> >     un-resolved:
> >         Return the full S-X-Y-Z string
> >
> > getDomainName:
> >     resolved:
> >         Return the domain name
> >     un-resolved:
> >         Return the domain component of the S-X-Y-Z string
> >
> > getAccountName:
> >     resolved:
> >         Return the account name
> >     un-resolved:
> >         Return only the RID component of the S-X-Y-Z string
> >
> > These methods should never return null or an empty string. I'm actually
> > not certain what getType() will return. I don't think the user should
> > have to checking it at all.
> >
> > Additionally another thing I think I will change is to make it so that
> > if the SID is not resolved, calling any of these methods will trigger
> > it to be resolved. Currently if the SID.resolve() is not called or if
> > the SID was not passed through SID.resolveSids it is not resolved and
> > the said methods return null. So you will only get the S-X-Y-X strings
> > if the resolution failed (e.g. because the account was deleted). This is
> > consistent with the Windows ACL editor. Also, after doing this I suppose
> > I can make the SID.resolve() method non-public.
> >
> > These are all simple changes that should take less than an hour. It was
> > sloppy on my part not to consider unresolved sids.
> -- 
> Software Engineer
> goulding at vivisimo.com
> Viví­simo [Search Done Right™]
> 1710 Murray Avenue
> Pittsburgh, PA 15217 USA
> tel: +1.412.422.2499 x105
> fax: +1.412.422.2495
> vivisimo.com      clusty.com

Michael B Allen
PHP Active Directory SSO

More information about the jcifs mailing list