Enumerating Unix users and groups from Windows

Corinna Vinschen corinna at vinschen.de
Thu Jul 24 08:54:36 GMT 2008

On Jul 23 23:42, Volker Lendecke wrote:
> On Wed, Jul 23, 2008 at 07:19:50PM +0200, Corinna Vinschen wrote:
> > Thanks for the reply.  I was just puzzled since I had expected that
> > the UNIX user accounts are simply part of the same enumeration and
> > automatically returned by NetUserEnum if no filter is set and, say,
> > NetLocalGroupEnum.
> The problem is: We would have to assign RIDs to those
> accounts. And mapping RIDs to Unix IDs and vice versa is not
> exactly an easy job. S-1-22-x is the best approximation we
> could find for the Windows file security editor.

Oh, I'm not saying that you shouldn't use S-1-22-x.  It's a nice method
to map uids/gids to SIDs.  What I'm missing is that they are just not
enumerated *together* with the other SIDs.

For instance, when you call NetLocalGroupEnum on a Windows machine, you
get a list which contains accounts from different "domains" and with
different base SIDs, too.  Calling LookupAccountName afterwards shows
that clearly:

  NetLocalGroupEnum (MACHINE); LookupAccountName (Name)

  Name		      RID   Domain  SID
  -----------------  ----   ------- -------------------------------
  Administrators      544   BUILTIN S-1-5-32-544
  Backup Operators    551   BUILTIN S-1-5-32-551
  Guests	      546   BUILTIN S-1-5-32-546
  Users		      545   BUILTIN S-1-5-32-545
  HelpServicesGroup  1001   MACHINE S-1-5-21-12345-67890-76543-1001

So it enumerates BUILTIN accounts as well as MACHINE accounts.

Samba could return the unix groups as local groups as well:

  NetLocalGroupEnum (SAMBA)  LookupAccountName (Name)

  Name		      RID   Domain      SID
  -----------------  ----   ----------  ---------------------------------
  root                  0   Unix Group  S-1-22-2-0
  bin			1   Unix Group  S-1-22-2-0

And for users:

  NetEnumUsers (SAMBA, info class 3); LookupAccountName (Name)

  Name		      RID   Domain      SID
  -----------------  ----   ----------  ---------------------------------
  root                  0   Unix User   S-1-22-1-0
  bin			1   Unix User   S-1-22-1-0
  corinna            2000   MACHINE     S-1-5-21-98765-43210-23489-2000

Given that I'm probably the first one to complain, it might be not
overly important, of course.  And I have a workaround.

My scenario is this:  So far Cygwin has to create /etc/passwd and
/etc/group files for the uid/gid <-> SID mapping.  To create these
files, you have two tools calls mkpasswd and mkgroup which create these
files using the NetEnum and LookupAccount functions.  To show the
user/group info on Samba shares correctly, both tools have to enumerate
accounts from Samba.  My workaround for the UNIX users and groups is to
loop over constructed S-1-22-x-y SIDs and calling LookupAccountSid with
them.  That works, but it's incredibly slow for ranges like 0-65535...


More information about the samba-technical mailing list