Nesting of local groups (SID_NAME_ALIAS)
Pavel Filipenský
pfilipensky at samba.org
Thu Mar 16 19:20:46 UTC 2023
Hi,
windbind does not correctly display members for e.g. BUILTIN/users. It
shows nothing:
./bin/wbinfo --group-info BUILTIN/users
BUILTIN/users:x:100001:
Given that "BUILTIN\Users" has 1 member "ADDOMAIN\Domain Users", it
should instead show:
./bin/wbinfo --group-info "ADDOMAIN/domain users"
ADDOMAIN/domain
users:x:100006:ADDOMAIN/joe,ADDOMAIN/jane,ADDOMAIN/samba2008r2$,ADDOMAIN/samba2003$,ADDOMAIN/administrator,ADDOMAIN/krbtgt,ADDOMAIN/testallowed
account,ADDOMAIN/testupnspn,ADDOMAIN/testdenied,ADDOMAIN/alice,ADDOMAIN/srv_account,ADDOMAIN/bob
I am working on the fix. One part is to call
dcerpc_samr_GetMembersInAlias() instead of the wrong
dcerpc_samr_GetAliasMembership() in source3/winbindd/winbindd_rpc.c.
Another part is to change the code dealing with nested groups / aliases.
For that, I need to understand if aliases (SID_NAME_ALIAS) can be
nested, like groups (SID_NAME_DOM_GRP).
Reading the Microsoft documentation
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/597504d8-5408-4629-9d81-aab661e6c953:
/A local group can contain user accounts that are local to the computer
and user accounts and global groups from their own domain./
It looks that "Local groups" which I believe is BUILTIN/users
(SID_NAME_ALIAS) cannot contain another "Local group". I have tested
that also on Windows server using lusrmgr.msc and such nesting was not
possible.
However, samba server allows such nesting:
bin/net sam createlocalgroup TestGroup1
bin/net sam createlocalgroup TestGroup2
bin/net sam addmem TestGroup1 TestGroup2
Can I assume that SID_NAME_ALIAS cannot be nested?
Best regards,
Pavel
More information about the samba-technical
mailing list