"algorithmic rid base" bogus?

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Dec 27 22:06:39 GMT 2005

On Tue, Dec 27, 2005 at 10:49:44PM +0100, Volker Lendecke wrote:

> There's a caveat that I just found out one step later however: The
> samr_query_usergroups call can't return anything sensible if the groups a
> user is member of are not mapped. The primary group sid is fine, this is
> stored with the SAM_ACCOUNT structure, but the additional groups are lost.
> This might be important as this influences the token we're returning in the
> SamLogon call.  People might have (from my point of view invalidly) set
> workstation security descriptors based on non-explicitly-mapped groups.
> Question: Is this really an issue? If I pursue my plan further I might have
> to create a compatibility option just for this call to automagically create
> the group mapping entries based on the algorithm.

Replying to myself: The reason why I'm not sure this is an issue is that I
don't have the slighest idea how an admin could be fooled to locally assign
such a security descriptor. They are not listed with enum_domain_groups or
query_dispinfo, only the mapped ones are. So none of the non-mapped groups
should show up in the windows security dialogue.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051227/b8f37619/attachment.bin

More information about the samba-technical mailing list