Mapping of RIDs to uid_t and gid_t (fwd)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue Apr 7 14:23:22 GMT 1998
<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk" > Samba and Network Consultancy </a>
---------- Forwarded message ----------
Date: Mon, 6 Apr 1998 17:31:42 -0400 (EDT)
From: Mark Funkenhauser <mark at opennt.com>
To: lkcl at switchboard.net
Subject: Re: Mapping of RIDs to uid_t and gid_t
Hi Luke:
>
> On Tue, 7 Apr 1998, David Collier-Brown wrote:
>
> > I wrote:
I didn't see the original proposals, but I did see your message today.
I don't know if this is relevant to your dicussion, but I have some
info on NT SID's and how UNIX-like IDs are generated in the POSIX subsystem
(e.g how SID's are mapped into an 'int')
and that there are "PosixID" offsets generated by the LSA
to help the subsystem to generate unique id's.
My references are from:
Microsoft Developers Network Library CD:
Win32 SDK: Win32, Overviews, System Services - Security
SDK CD: somewhere in the SAMPLE code is a LSAAPI.RTF (or .HLP ?)
file that describes the LSA api's.
special NT-SIDS
---------------
S-1-0-0 the NULL group (a group with no members)
S-1-1-0 the World group (aka Everyone)
S-1-2-* SIDs generated from Local authority
S-1-5-* SIDs generated from the NT-authority
S-1-5-1 the Dialup group
S-1-5-2 the Network group
S-1-5-3 the Batch group
S-1-5-4 the Interactive group
S-1-5-6 the Service group
S-1-5-11 the Authenticated_Users group
S-1-5-18 the Local_System group
S-1-5-X-Y - special SID created during user logon to identify
the window-station and allows the user to access
the window-stations object for this session.
[ I'm not sure what values X and Y can take ]
POSIX subsystem ID's.
--------------------
The POSIX subsystem (and the OpenNT subsystem) is just like UNIX :
they need user/group id's that fit into an 'int'.
So, for NT SIDs that come from trusted domains,
the LSA knows about this and generates special id offsets
(called Posix Offsets - values like 0x130000 and 0x120000 - see below)
that can be added to a RID to make a unique id.
For other types of SIDs, there is a well known set of offset mappings:
For global SIDs (NULL, World, ...), the offset is 0x10000.
(eg. Everyone group : SID=S-1-1-0, id = 0x10100
SYSTEM group SID=S-1-5-18, id = 0x10512)
For SIDs from the Built-in Domain, the offset is 0x20000
(eg. USERS: SID=S-1-5-32-545 = 0x20221)
(eg. ADMINISTRATORS: SID=S-1-5-32-544 = 0x20220)
For SIDs from the Account-in Domain (local machine users/groups),
the offset is 0x30000.
For SIDs from the Primary-in Domain, the offsets start at 0x100000 and
are incremented by 0x100000 for each additional trusted domains.
(e.g DOMAIN1\User1 SID=S-1-5-21-#-#-0x3ED = 0x1003ED)
hope this helps,
mark
More information about the samba-technical
mailing list