Security Identifier (SID) to User Identifier (uid) ResolutionSystem

[Todd Sabin]

Luke Kenneth Casson Leighton <lkcl at samba.org> writes:

> > > > > 
> > > > > and what happens when you select a samba server in show-users from an NT
> > > > > workstation?
> > > > > 
> > > > > yes, this is possible.
> > > > > 
> > > > 
> > > > Only if the samba server is the DC (or trusted DC) of the machine
> > > > whose file you're manipulating.  Those are the only machines you can
> > > > show users from.  Which is as it should be, because those are the only
> > > > accounts that the machine can authenticate.  The GUI is smart enough
> > > > to limit your choices to those that actually make sense.
> > > 
> > > are you sure?  and what a bout cacls.exe?
> > 
> > Yes, I'm sure (about the GUI); it's been true for years.  I don't know
> > about cacls.  Nothing stops you from putting bogus SIDs in ACLs at the
> > API level, so it's possible that cacls might let you do it.  If it
> > does, though, those ACEs would be total deadweight, as noone could
> > authenticate as one of those accounts.
> > 
> > 
> > Todd
> > 
> 
> 
> i'm thinking of using cacls (or the GUI, but you tell me it can't be done)
> to add a _valid_ SID on some arbitrarily selected workstation. for files
> access on a nother local workstation.

Yes, I understand, but it's pointless to do so.  There's no way for
someone to prove to WKSA that they are user WKSB\foo.  A machine can
only authenticate users managed by machines that it has a trust
relationship with.  Workstations don't have trust relationships with
each other.

I meant 'bogus SID' in a relative sense, i.e., any SID that a machine
could never authenticate.  Whether or not it is actually defined
somewhere else.  Sorry, that probably wasn't clear.


Todd