How to determine if a SID is group or user?

Gerald Carter gcarter at
Thu Nov 9 19:59:30 GMT 2000

John M Trostel wrote:
> Well, I'm trying to come back through the "set_nt_acl" 
> call, with a pre-alpha implementation of XFS acls.  There 
> are more than the standard 3 ACEs created and I need (when 
> they are read back in as is done in "unpack_nt_permissions") 
> to determine if the ACE is a user or group ACE.
> Is the 'last bit' the high order or low order bit here? 
> (And is that the one I see in the dacl->ace[i] structure?
> typedef struct security_ace_info
> {
>     uint8 type;  /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
>     uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
>     uint16 size;
>     SEC_ACCESS info;
>     DOM_SID sid;
> } SEC_ACE;

Ah....Well first you will need to get the rid from the 
last 32bits of the DOM_SID.  Don't know if there is a 
function for this (would think so).  Check around and see.

Be aware that I have not worked on the security descriptor 
code that much and not at all on ACLs, so take what I say
with a grain of salt :-)

(And yes that would be the low bit)

from include/smb.h:

/* DOM_SID - security id */
typedef struct sid_info
  uint8  sid_rev_num;             /* SID revision number */
  uint8  num_auths;               /* number of sub-authorities */
  uint8  id_auth[6];              /* Identifier Authority */
   * Note that the values in these uint32's are in *native* byteorder,
   * not neccessarily little-endian...... JRA.
  uint32 sub_auths[MAXSUBAUTHS];  /* pointer to sub-authorities. */


from passdb/passdb.c:

 Decides if a RID is a user or group RID.
BOOL pdb_rid_is_user(uint32 rid)
  /* lkcl i understand that NT attaches an enumeration to a RID
   * such that it can be identified as either a user, group etc
   * type.  there are 5 such categories, and they are documented.
   if(pdb_rid_is_well_known(rid)) {
       * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
       return True;
   } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
     return True;
   return False;

Cheers, jerry
   /\  Gerald (Jerry) Carter                     Professional Services
 \/  VA Linux Systems   gcarter at       SAMBA Team          jerry at                     jerry at

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list