NTDOM: NT domain groups, SIDs and other information required

Luke Kenneth Casson Leighton lkcl at switchboard.net
Mon Oct 20 18:42:32 GMT 1997

i am currently in the process of implementing NT Domain Authentication in 
samba (ftp://samba.anu.edu.au/pub/samba/alpha/samba-1.9.18alpha2.tar.gz), 
following work done by Paul Ashton <paul at argo.demon.co.uk> and myself.

an NT Workstation can log in and out from samba just like a Win95 machine
can.  The Win95 login / logout process is fully documented in cifs6.txt. 
The NT login / logout process is being documented in cifsntdomain.txt.

i am soliciting assistance for the process of documenting (and then
implementing) the NT Domain Authentication protocol.

[NTSEC: this may appear not to be of much relevance to the ntsec list at
first glance.  however, i thought it best to make you aware of what is
going on, and that given that the Samba source code is freely available
and distributable, it is quite simple to generate random or false MSRPC
packets which will either crash, fool or irreversibly damage an NT
workstation installation.  yes, the latter _has_ occurred, requiring a
complete reinstall of NT, and has been reported on NTBUGTRAQ.  you should
therefore take action to protect your sites from any illegal activities]. 

in particular, i am looking for some references to documentation (that
does not require me to access premium or exclusive sites, that may require
me to download a cookie: i have no idea where lynx2.7 puts its cookies, if
anywhere) on the following topics.  i will be adding any references and / 
or contributions, with acknowledgments, to:


so that anyone wishing to assist with or contribute to this process will 
be able to do so, without duplicating work and effort.

the topics are:

- Domain SIDs

  i currently understand that SIDs are expressed as S-1-5-nn-nn-nn-nn-nn
  where the nns are sub-authorities.  (a SID can also be S-1-0xNNNNNNNNNNNN).
  i do not know the exact meaning of the sub-authorities, and their 
  relevance.   except the last sub-authority, which is the user's RID.

- RIDs

  i understand these to be the equivalent of unix "user ids".  i also 
  understand that microsoft's posix-compliant library has a mapping system
  from RIDs to posix uids: add 1,000 to the uid to get a RID.

- Domain Groups, and their relationship to RIDs and SIDs.

  see cifsntdomain.txt, DOM_GID in the "Structures" section, as used by
  the "LSA SAM Logon" response, from the USER_INFO_1 structure.  an array
  of group_id / user_attributes can be transferred across in the SAM Logon.

  this is one thing i _really_ don't get.  also, i can't do a shutdown of
  an NT workstation having logged on to an NT domain: it says "insufficient
  access rights".

- the MSRPC srvsvc and other pipes, and example Netmonitor packet traces.

  We currently have, by a process of observation and analysis of Netmonitor
  traces by Paul Ashton, limited but sufficient functionality on the 
  NETLOGON, ntlsa and srvsvc pipes.
  Browsing of a Samba PDC is not possible (although net view \\server and
  Find Computer is) as we suspect that we are missing the "Net Server 
  Enum" MSRPC reply / response.

anyone wishing to sponsor me to ensure that i can continue to be the
current fulcrum for this project is more than welcome to contact me in

anyone wishing to take responsibility for this project is also welcome to
contact me.

best regards,


<a href="mailto:lkcl at switchboard.net"  > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Lynx2.7-friendly Home Page   </a>
<br><b> "Apply the Laws of Nature to your environment because your
         environment applies the Laws of Nature to you"              </b>

More information about the samba mailing list