Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Luke Kenneth Casson Leighton lkcl at samba.org
Thu Dec 30 22:34:53 GMT 1999 

ok, i buy this.  PDC-controlled SIDs can only be accepted, nothing else.

i buy it, and i like it.  it makes things a hell of a lot simpler
(*whew*).  means you don't have to worry about workstation SIDs, only your
own local SIDs, domain SIDs and trsted DC SIDs.

_maybe_ untrusted DC SIDs, but that's probably going too far.

On 30 Dec 1999, Todd Sabin wrote:

> Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> 
> > > > > > 
> > > > > > and what happens when you select a samba server in show-users from an NT
> > > > > > workstation?
> > > > > > 
> > > > > > yes, this is possible.
> > > > > > 
> > > > > 
> > > > > Only if the samba server is the DC (or trusted DC) of the machine
> > > > > whose file you're manipulating.  Those are the only machines you can
> > > > > show users from.  Which is as it should be, because those are the only
> > > > > accounts that the machine can authenticate.  The GUI is smart enough
> > > > > to limit your choices to those that actually make sense.
> > > > 
> > > > are you sure?  and what a bout cacls.exe?
> > > 
> > > Yes, I'm sure (about the GUI); it's been true for years.  I don't know
> > > about cacls.  Nothing stops you from putting bogus SIDs in ACLs at the
> > > API level, so it's possible that cacls might let you do it.  If it
> > > does, though, those ACEs would be total deadweight, as noone could
> > > authenticate as one of those accounts.
> > > 
> > > 
> > > Todd
> > > 
> > 
> > 
> > i'm thinking of using cacls (or the GUI, but you tell me it can't be done)
> > to add a _valid_ SID on some arbitrarily selected workstation. for files
> > access on a nother local workstation.
> 
> Yes, I understand, but it's pointless to do so.  There's no way for
> someone to prove to WKSA that they are user WKSB\foo.  A machine can
> only authenticate users managed by machines that it has a trust
> relationship with.  Workstations don't have trust relationships with
> each other.
> 
> I meant 'bogus SID' in a relative sense, i.e., any SID that a machine
> could never authenticate.  Whether or not it is actually defined
> somewhere else.  Sorry, that probably wasn't clear.
> 
> 
> Todd
>

More information about the samba-technical mailing list