S-1-5-21-Local-SAM-SID-513 -> LOCAL-SAM-NAME\None

Ralph Boehme slow at samba.org
Fri Aug 7 17:38:03 UTC 2020

Am 8/7/20 um 7:25 PM schrieb Jeremy Allison:
> On Fri, Aug 07, 2020 at 06:52:24PM +0200, Ralph Boehme wrote:
>> Am 8/7/20 um 6:37 PM schrieb Jeremy Allison:
>>> OK, what it looks like is a call that can *never* fail
>>> on Windows - e.g. looking up S-1-5-[LOCAL-DOMAIN-PREFIX]-513
>>> must *always* map to "Domain Users" group.
>> but why on earth do we return "None" instead of "Domain Users"?
> Well I'm guessing that there might already be a UNIX "Domain Users"
> group, but someone didn't map it to RID-513.

hm, but that doesn't interfere with SID <-> Name mapping, only with SID
<-> id mapping which is another story.

> "None" was probably considered a safer choice. Dunno though.

Why not call it what it is? If you query a Windows machine for the local
RID 513 it will answer "Domain Users" so should we, shouldn't we?

> Ah, look here source3/passdb/passdb.c:
> bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
>                             enum lsa_SidType *type)
> {
>         GROUP_MAP *map;
>         bool ret;
>         /* Windows treats "MACHINE\None" as a special name for 
>            rid 513 on non-DCs.  You cannot create a user or group
>            name "None" on Windows.  You will get an error that 
>            the group already exists. */

oh, that is interesting. I'll check if this is still true later on.
Thanks for finding this piece of code! :)


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200807/af921b09/signature.sig>

More information about the samba-technical mailing list