SIDs of local groups (fwd)

Luke Kenneth Casson Leighton lkcl at switchboard.net
Mon Apr 6 13:06:16 GMT 1998 

ah - this just came in on ntbugtraq!

<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk"       > Samba and Network Consultancy </a>

---------- Forwarded message ----------
Date: Sun, 5 Apr 1998 20:44:23 +0400
From: Evgenii Borisovich Rudnyi <rudnyi at MCH1.CHEM.MSU.SU>
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: SIDs of local groups

The Knowledge Base article Q163846 of 12-05-1997 "SID Values For Default
Windows NT Installations" states that SID values for local groups are as
follows

  BUILTIN\ADMINISTRATORS     S-1-2-32-544
  BUILTIN\USERS              S-1-2-32-545
  BUILTIN\GUESTS             S-1-2-32-546
  BUILTIN\ACCOUNT OPERATORS  S-1-2-32-548
  BUILTIN\SERVER OPERATORS   S-1-2-32-549
  BUILTIN\PRINT OPERATORS    S-1-2-32-550
  BUILTIN\BACKUP OPERATORS   S-1-2-32-551
  BUILTIN\REPLICATOR         S-1-2-32-552

Interestingly enough that GETSID from the NT Resource Kit confirms this
from several NT boxes I have tried it on.

However, I could not reproduce this with WIN32 function
LookupAccountName. The latter shows that SIDs above are erroneous and
they should look like

  BUILTIN\ADMINISTRATORS     S-1-5-32-544
  BUILTIN\USERS              S-1-5-32-545
  ...

This also can be confirmed by watching binary values in SAM and by
employing WIN32 functions AllocateAndInitializeSid and LookupAccountSid.
If SID S-1-5-32-544 is generated then LookupAccountSid tells us that
it belongs to BUILTIN\ADMINISTRATORS. However, if SID S-1-2-32-544 is
put in, then the answer is that the account for this SID does not exist.

The question is whether this is the error in documentation (and in
GETSID, it looks like that its authors did not employ WIN32 API), or
there are some sophisticated security implications.

Evgenii Rudnyi

--
Chemistry Department       rudnyi at comp.chem.msu.su
Moscow State University    http://www.chem.msu.su/~rudnyi/welcome.html
119899 Moscow              +(095)939 5452, fax+(095)932 8846, +(095)939 1205
Russia

More information about the samba-technical mailing list