Mapping of RIDs to uid_t and gid_t (fwd)

Luke Kenneth Casson Leighton lkcl at switchboard.net
Tue Apr 7 14:23:22 GMT 1998 


<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk"       > Samba and Network Consultancy </a>

---------- Forwarded message ----------
Date: Mon, 6 Apr 1998 17:31:42 -0400 (EDT)
From: Mark Funkenhauser <mark at opennt.com>
To: lkcl at switchboard.net
Subject: Re: Mapping of RIDs to uid_t and gid_t

Hi Luke:

> 
> On Tue, 7 Apr 1998, David Collier-Brown wrote:
> 
> > I wrote:


   I didn't see the original proposals, but I did see your message today.

   I don't know if this is relevant to your dicussion, but I have some
   info on NT SID's and how UNIX-like IDs are generated in the POSIX subsystem
   (e.g how SID's are mapped into an 'int')
   and that there are "PosixID" offsets generated by the LSA 
   to help the subsystem to generate unique id's.

   My references are from:
     Microsoft Developers Network Library CD:  
	  Win32 SDK: Win32, Overviews, System Services  - Security 
     SDK CD:  somewhere in the SAMPLE code is a LSAAPI.RTF (or .HLP ?)
	      file that describes the LSA api's.


   special NT-SIDS
   ---------------
   S-1-0-0    the NULL group (a group with no members)
   S-1-1-0    the World group (aka  Everyone)
   S-1-2-*    SIDs generated from Local authority
   S-1-5-*    SIDs generated from the NT-authority
   S-1-5-1    the Dialup group
   S-1-5-2    the Network group
   S-1-5-3    the Batch group
   S-1-5-4    the Interactive group
   S-1-5-6    the Service group
   S-1-5-11   the Authenticated_Users group
   S-1-5-18   the Local_System group

   S-1-5-X-Y  - special SID created during user logon to identify
		the window-station and allows the user to access
		the window-stations object for this session.
		[ I'm not sure what values X and Y can take ]

   POSIX subsystem ID's.
   --------------------

   The POSIX subsystem (and the OpenNT subsystem) is just like UNIX :
   they need user/group id's that fit into an 'int'.

   So, for NT SIDs that come from trusted domains, 
   the LSA knows about this and generates special id offsets
   (called Posix Offsets - values like 0x130000 and 0x120000 - see below)
   that can be added to a RID to make a unique id.

   For other types of SIDs, there is a well known set of offset mappings:
   For global SIDs (NULL, World, ...), the offset is 0x10000.
     (eg.  Everyone group : SID=S-1-1-0, id = 0x10100
           SYSTEM group SID=S-1-5-18, id = 0x10512)

   For SIDs from the Built-in Domain, the offset is 0x20000
     (eg. USERS: SID=S-1-5-32-545 = 0x20221)
     (eg. ADMINISTRATORS: SID=S-1-5-32-544 = 0x20220)

   For SIDs from the Account-in Domain (local machine users/groups),
   the offset is 0x30000.

   For SIDs from the Primary-in Domain, the offsets start at 0x100000 and 
   are incremented by 0x100000 for each additional trusted domains.
     (e.g  DOMAIN1\User1  SID=S-1-5-21-#-#-0x3ED = 0x1003ED)
			 

hope this helps,

mark

More information about the samba-technical mailing list