How to determine if a SID is group or user?
Gerald Carter
gcarter at valinux.com
Thu Nov 9 19:59:30 GMT 2000
John M Trostel wrote:
>
> Well, I'm trying to come back through the "set_nt_acl"
> call, with a pre-alpha implementation of XFS acls. There
> are more than the standard 3 ACEs created and I need (when
> they are read back in as is done in "unpack_nt_permissions")
> to determine if the ACE is a user or group ACE.
>
> Is the 'last bit' the high order or low order bit here?
> (And is that the one I see in the dacl->ace[i] structure?
>
> typedef struct security_ace_info
> {
> uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
> uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
> uint16 size;
>
> SEC_ACCESS info;
> DOM_SID sid;
>
> } SEC_ACE;
Ah....Well first you will need to get the rid from the
last 32bits of the DOM_SID. Don't know if there is a
function for this (would think so). Check around and see.
Be aware that I have not worked on the security descriptor
code that much and not at all on ACLs, so take what I say
with a grain of salt :-)
(And yes that would be the low bit)
from include/smb.h:
/* DOM_SID - security id */
typedef struct sid_info
{
uint8 sid_rev_num; /* SID revision number */
uint8 num_auths; /* number of sub-authorities */
uint8 id_auth[6]; /* Identifier Authority */
/*
* Note that the values in these uint32's are in *native* byteorder,
* not neccessarily little-endian...... JRA.
*/
uint32 sub_auths[MAXSUBAUTHS]; /* pointer to sub-authorities. */
} DOM_SID;
from passdb/passdb.c:
/*******************************************************************
Decides if a RID is a user or group RID.
********************************************************************/
BOOL pdb_rid_is_user(uint32 rid)
{
/* lkcl i understand that NT attaches an enumeration to a RID
* such that it can be identified as either a user, group etc
* type. there are 5 such categories, and they are documented.
*/
if(pdb_rid_is_well_known(rid)) {
/*
* The only well known user RIDs are DOMAIN_USER_RID_ADMIN
* and DOMAIN_USER_RID_GUEST.
*/
if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
return True;
} else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
return True;
}
return False;
}
Cheers, jerry
----------------------------------------------------------------------
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com/ VA Linux Systems gcarter at valinux.com
http://www.samba.org/ SAMBA Team jerry at samba.org
http://www.plainjoe.org/ jerry at plainjoe.org
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
More information about the samba-technical
mailing list