[Samba] Samba + sssd deployment: success and failure

Rowland penny rpenny at samba.org
Thu Jun 13 07:40:29 UTC 2019 

On 13/06/2019 07:55, Alexey A Nikitin wrote:
> On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba wrote:
>>>> I think you mean 'RID' instead of 'SID'
>>> Yes, you're right.  The Windows people seem to use the terms synonymously.
>> I cannot help that, the SID identifies the domain and the RID is
>> appended to the end of the SID and identifies the object (user,
>> group,computer etc)
>>
> I believe a small clarification is due here: SID does identify individual objects. It has a 96-bit (12-byte) pseudo-random section that identifies a domain or an individual computer relative to which the RID is effective (IIRC some sources refer to it as 'source of authority') as well as a 32-bit RID (relative ID, similar to UID/GID in POSIX except it is a single 32-bit space for any and all security principals in a domain/machine) itself as its components. AFAIK the only exceptions to the rule of SID including RID as its necessary part are Service SIDs and Machine SIDs. The Service SIDs are used to manage permissions for individual services (longer than typical SID and is based on SHA1 hash of the service name) and Machine SIDs are effectively just a special case of the SID prefix without RID. That said the machine accounts in AD will have full SID with RID, and that SID will not match the local machine SID at all.
>
> If any of the above is a misconception I have - please correct me.

You might think that and you may be correct in what you say, but it 
still doesn't alter the fact the SID by itself identifies the domain and 
to identify an individual object it gets a RID added to the end of the SID.

The SID, can be in the form 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' 
or 'S-1-5-32' (there are others)

Until you add a RID to the above, it only identifies a domain, but once 
you do, it identifies  an individual object in a domain, S-1-5-32-548 
identifies the 'Account Operators' group in the BUILTIN domain.

You cannot call something a SID, then add a RID to it and continue to 
call it a SID, 'SID-RID' perhaps would be a better term.

Rowland

More information about the samba mailing list