[PATCH] s4: Add additional well-known SID's/RID's

Andrew Kroeger andrew at id10ts.net
Fri May 29 02:04:13 GMT 2009 

All:

Please find attached two patches to add additional well-known 
SID's/RID's and expand the number of 2-letter mapping codes that are 
used when encoding/decoding SDDL.

These patches are also available at git://github.com/id10ts/samba.git.

Sincerely,
Andrew Kroeger
-------------- next part --------------
>From 7b6100addb644bf25f2b43b329ae1d571245695c Mon Sep 17 00:00:00 2001
From: Andrew Kroeger <andrew at id10ts.net>
Date: Thu, 28 May 2009 20:02:42 -0500
Subject: [PATCH] s4: Add additional well-known SID's/RID's.

Information was found at http://support.microsoft.com/kb/243330

Not all well-known identifiers were included - only those necessary for
enhancing the 2-letter mappings used in SDDL strings were added.
---
 librpc/gen_ndr/security.h |    4 ++++
 librpc/idl/security.idl   |    4 ++++
 2 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/librpc/gen_ndr/security.h b/librpc/gen_ndr/security.h
index 9db2108..d1dcbe5 100644
--- a/librpc/gen_ndr/security.h
+++ b/librpc/gen_ndr/security.h
@@ -121,17 +121,21 @@
 #define SID_BUILTIN_REPLICATOR	( "S-1-5-32-552" )
 #define SID_BUILTIN_RAS_SERVERS	( "S-1-5-32-553" )
 #define SID_BUILTIN_PREW2K	( "S-1-5-32-554" )
+#define SID_BUILTIN_REMOTE_DESKTOP_USERS	( "S-1-5-32-555" )
+#define SID_BUILTIN_NETWORK_CONF_OPERATORS	( "S-1-5-32-556" )
 #define DOMAIN_RID_LOGON	( 9 )
 #define DOMAIN_RID_ADMINISTRATOR	( 500 )
 #define DOMAIN_RID_GUEST	( 501 )
 #define DOMAIN_RID_KRBTGT	( 502 )
 #define DOMAIN_RID_ADMINS	( 512 )
 #define DOMAIN_RID_USERS	( 513 )
+#define DOMAIN_RID_GUESTS	( 514 )
 #define DOMAIN_RID_DOMAIN_MEMBERS	( 515 )
 #define DOMAIN_RID_DCS	( 516 )
 #define DOMAIN_RID_CERT_ADMINS	( 517 )
 #define DOMAIN_RID_SCHEMA_ADMINS	( 518 )
 #define DOMAIN_RID_ENTERPRISE_ADMINS	( 519 )
+#define DOMAIN_RID_POLICY_ADMINS	( 520 )
 #define NT4_ACL_REVISION	( SECURITY_ACL_REVISION_NT4 )
 #define SD_REVISION	( SECURITY_DESCRIPTOR_REVISION_1 )
 struct dom_sid {
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 941883f..9728c7f 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -219,6 +219,8 @@ interface security
 	const string SID_BUILTIN_REPLICATOR        = "S-1-5-32-552";
 	const string SID_BUILTIN_RAS_SERVERS       = "S-1-5-32-553";
 	const string SID_BUILTIN_PREW2K            = "S-1-5-32-554";
+	const string SID_BUILTIN_REMOTE_DESKTOP_USERS   = "S-1-5-32-555";
+	const string SID_BUILTIN_NETWORK_CONF_OPERATORS = "S-1-5-32-556";
 
 	/* well-known domain RIDs */
 	const int DOMAIN_RID_LOGON                 = 9;
@@ -227,11 +229,13 @@ interface security
 	const int DOMAIN_RID_KRBTGT                = 502;
 	const int DOMAIN_RID_ADMINS                = 512;
 	const int DOMAIN_RID_USERS                 = 513;
+	const int DOMAIN_RID_GUESTS                = 514;
 	const int DOMAIN_RID_DOMAIN_MEMBERS        = 515;
 	const int DOMAIN_RID_DCS                   = 516;
 	const int DOMAIN_RID_CERT_ADMINS           = 517;
 	const int DOMAIN_RID_SCHEMA_ADMINS         = 518;
 	const int DOMAIN_RID_ENTERPRISE_ADMINS     = 519;
+	const int DOMAIN_RID_POLICY_ADMINS         = 520;
 
 
 	/*
-- 
1.6.0.6

-------------- next part --------------
>From f63d0ed97be9540f1db707dae2a2d8b927e572ee Mon Sep 17 00:00:00 2001
From: Andrew Kroeger <andrew at id10ts.net>
Date: Thu, 28 May 2009 20:18:33 -0500
Subject: [PATCH] s4: Add additional 2-letter SID/RID mappings.

Information from http://msdn.microsoft.com/en-us/library/aa379602(VS.85).aspx
---
 source4/libcli/security/sddl.c |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c
index a8d893f..39bdf04 100644
--- a/source4/libcli/security/sddl.c
+++ b/source4/libcli/security/sddl.c
@@ -80,11 +80,34 @@ static const struct {
 	{ "CO", SID_CREATOR_OWNER },
 	{ "CG", SID_CREATOR_GROUP },
 
+	{ "AN", SID_NT_ANONYMOUS },
+	{ "BG", SID_BUILTIN_GUESTS },
+	{ "BO", SID_BUILTIN_BACKUP_OPERATORS },
+	{ "BU", SID_BUILTIN_USERS },
+	{ "IU", SID_NT_INTERACTIVE },
+	{ "LS", SID_NT_LOCAL_SERVICE },
+	{ "NO", SID_BUILTIN_NETWORK_CONF_OPERATORS },
+	{ "NS", SID_NT_NETWORK_SERVICE },
+	{ "NU", SID_NT_NETWORK },
+	{ "PU", SID_BUILTIN_POWER_USERS },
+	{ "RC", SID_NT_RESTRICTED },
+	{ "RD", SID_BUILTIN_REMOTE_DESKTOP_USERS },
+	{ "RE", SID_BUILTIN_REPLICATOR },
+	{ "SO", SID_BUILTIN_ACCOUNT_OPERATORS },
+	{ "SU", SID_NT_SERVICE },
+
 	{ "DA", NULL, DOMAIN_RID_ADMINS },
 	{ "EA", NULL, DOMAIN_RID_ENTERPRISE_ADMINS },
 	{ "DD", NULL, DOMAIN_RID_DCS },
 	{ "DU", NULL, DOMAIN_RID_USERS },
 	{ "CA", NULL, DOMAIN_RID_CERT_ADMINS },
+
+	{ "DC", NULL, DOMAIN_RID_DOMAIN_MEMBERS },
+	{ "DG", NULL, DOMAIN_RID_GUESTS },
+	{ "LA", NULL, DOMAIN_RID_ADMINISTRATOR },
+	{ "LG", NULL, DOMAIN_RID_GUEST },
+	{ "PA", NULL, DOMAIN_RID_POLICY_ADMINS },
+	{ "SA", NULL, DOMAIN_RID_SCHEMA_ADMINS },
 };
 
 /*
-- 
1.6.0.6

More information about the samba-technical mailing list