Posix Extended headers ...

Richard Sharpe rsharpe at ns.aus.com
Tue Jul 16 08:20:02 GMT 2002

On Tue, 16 Jul 2002, Joerg Schilling wrote:

> >From rsharpe at ns.aus.com Tue Jul 16 00:10:48 2002
> >> Storing a sid and rid would perhaps be a better way to do it as you may
> >> not be able to resolve the username or domain due to network problems or
> >> that the sid is a foreign sid from a non-trusted domain.
> >OK, you are right. Storing as S-1-5-21-xxx-yyy-... for all SIDs would 
> >probably be better.
> I would need to learn what this is. Do you have pointers for a quick overview?

A SID is a security identifier. They are MS's equivalent of UIDs and GIDs. 
They have structure and they are unified, in that groups have SIDs as 

Internally, they are almost an array of GUINT32s (the first two are a bit 
more complex), but they are written in text format as:

  | | | |   |   |   |   |
  | | | |   |   |   |   |
  | | | |   |   |   |   +--------Relative ID within domain/box
  | | | +---+---+---+------------Sub Authorities, 21 indicates NT
  | | +--------------------------Authority, I think
  | +----------------------------Version
  +------------------------------Verbose indicator that it is a SID

The portion S-1-5-21-XXX-YYY-ZZZ is the domain SID, and RID is the 
relative ID, however, for all ACL purposes, they should be stored as the 
full DOMAIN-SID and RID, ie as above.

Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

More information about the samba-technical mailing list