[Samba] Samba + sssd deployment: success and failure

Alexey A Nikitin nikitin at amazon.com
Thu Jun 13 06:55:42 UTC 2019


On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba wrote:
> >> I think you mean 'RID' instead of 'SID'
> 
> > Yes, you're right.  The Windows people seem to use the terms synonymously.
> I cannot help that, the SID identifies the domain and the RID is 
> appended to the end of the SID and identifies the object (user, 
> group,computer etc)
> 

I believe a small clarification is due here: SID does identify individual objects. It has a 96-bit (12-byte) pseudo-random section that identifies a domain or an individual computer relative to which the RID is effective (IIRC some sources refer to it as 'source of authority') as well as a 32-bit RID (relative ID, similar to UID/GID in POSIX except it is a single 32-bit space for any and all security principals in a domain/machine) itself as its components. AFAIK the only exceptions to the rule of SID including RID as its necessary part are Service SIDs and Machine SIDs. The Service SIDs are used to manage permissions for individual services (longer than typical SID and is based on SHA1 hash of the service name) and Machine SIDs are effectively just a special case of the SID prefix without RID. That said the machine accounts in AD will have full SID with RID, and that SID will not match the local machine SID at all.

If any of the above is a misconception I have - please correct me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20190612/6dd751c0/signature.sig>


More information about the samba mailing list