S-1-5-21-Local-SAM-SID-513 -> LOCAL-SAM-NAME\None

Jeremy Allison jra at samba.org
Fri Aug 7 17:25:22 UTC 2020

On Fri, Aug 07, 2020 at 06:52:24PM +0200, Ralph Boehme wrote:
> Am 8/7/20 um 6:37 PM schrieb Jeremy Allison:
> > OK, what it looks like is a call that can *never* fail
> > on Windows - e.g. looking up S-1-5-[LOCAL-DOMAIN-PREFIX]-513
> > must *always* map to "Domain Users" group.
> but why on earth do we return "None" instead of "Domain Users"?

Well I'm guessing that there might already be a UNIX "Domain Users"
group, but someone didn't map it to RID-513.

"None" was probably considered a safer choice. Dunno though.

Ah, look here source3/passdb/passdb.c:

bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
                            enum lsa_SidType *type)
        GROUP_MAP *map;
        bool ret;

        /* Windows treats "MACHINE\None" as a special name for 
           rid 513 on non-DCs.  You cannot create a user or group
           name "None" on Windows.  You will get an error that 
           the group already exists. */

        if ( strequal( name, "None" ) ) {
                *rid = DOMAIN_RID_USERS;
                *type = SID_NAME_DOM_GRP;

                return True;

and here source3/groupdb/mapping.c:get_domain_group_from_sid(struct dom_sid sid, GROUP_MAP *map):

        /* special case check for rid 513 */

        if ( !ret ) {
                uint32_t rid;

                sid_peek_rid( &sid, &rid );

                if ( rid == DOMAIN_RID_USERS ) {
                        map->nt_name = talloc_strdup(map, "None");
                        if (!map->nt_name) {
                                return false;
                        map->comment = talloc_strdup(map, "Ordinary Users");
                        if (!map->comment) {
                                return false;
                        sid_copy( &map->sid, &sid );
                        map->sid_name_use = SID_NAME_DOM_GRP;
                        map->gid = (gid_t)-1;
                        return True;
                return False;

More information about the samba-technical mailing list