Enumerating Unix users and groups from Windows

[Volker Lendecke]

On Wed, Jul 23, 2008 at 07:19:50PM +0200, Corinna Vinschen wrote:
> On Jul 23 18:25, Volker Lendecke wrote:
> > On Wed, Jul 23, 2008 at 12:30:35PM +0200, Corinna Vinschen wrote:
> > > when I want to know the user/group name <-> SID mapping of the UNIX user
> > > and groups (The ones with SIDs S-1-22-1, S-1-22-2), I can call
> > > LookupAccountSid and LookupAccountName just fine from Windows. 
> > 
> > S-1-22-x is just a workaround for accounts not in smbpasswd
> > or pdb_something. Right now we don't have a capability to
> > list all unix accounts. While it should be possible
> > RPC-wise, i.e. do a samr_opendomain on s-1-22-1, it is not
> > implemented yet, and I don't know if this would be available
> > via the Win32 NetUser API. I doubt that that API expects
> > more than one SAM on a server.
> 
> Thanks for the reply.  I was just puzzled since I had expected that
> the UNIX user accounts are simply part of the same enumeration and
> automatically returned by NetUserEnum if no filter is set and, say,
> NetLocalGroupEnum.

The problem is: We would have to assign RIDs to those
accounts. And mapping RIDs to Unix IDs and vice versa is not
exactly an easy job. S-1-22-x is the best approximation we
could find for the Windows file security editor.

> It's also sot of weird that LookupAccountName works, but NetUserGetInfo
> doesn't.

LsaLookupNames does expect multiple domains, because it has
to take care of trusted domains. NetUserInfo probably has to
do an OpenUser which can only happen against the defining
DC. Very likely it finds the RID via a SamrLookupNames (not
the LSA version), so it can not find the correct RID for the
S-1-22 domains. This would have to be verified by sniffs
though.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080723/0cb76d7a/attachment.bin