[Samba] Samba + sssd deployment: success and failure

Alexey A Nikitin nikitin at amazon.com
Thu Jun 13 17:32:58 UTC 2019


On Thursday, 13 June 2019 09:18:25 PDT Goetz, Patrick G via samba wrote:
> On 6/13/19 10:48 AM, Alexey A Nikitin via samba wrote:
> > According to the MS docs SID=('S-'+version+identifier authority value+domain or computer identifier+RID). The SIDs that don't contain RID are the special cases of Machine SID, Domain SID, Service SID, and some predefined universal well-known SIDs [1]. According to the common use in MS tools SID encompasses RID. And even in Samba (wbinfo immediately comes to mind) SID also encompasses RID. More generally, the definition of SID is a unique identifier for a security principal, and to match that definition one security principal within a domain (or a local machine) has to be distinguished from another security principal within the same domain or machine, which is achieved through the RID part of the SID. So, RID is just a (sometimes optional, but in those contexts "SID+RID" also doesn't make any sense) part of SID, not a separate and independent piece.
> > 
> 
> I think the relevant question (and the reason this came up) is that I 
> want the UID mapping to be:
> 
>      linux UID = domain RID
> 
> I was calling it an SID (which, based on talking to Windows admins, I'm 
> surmising is understood to mean RID, depending on context).  Anyway, 
> that was the genesis of this discussion.  To give a concrete example,
> 
> Running this command on one of sssd linux domain members:
> 
> root at kraken:/home/pgoetz# getent passwd pgoetz
> pgoetz:*:1562224688:1007000513:Goetz Patrick G 
> (pgoetz):/home/pgoetz:/bin/bash
> 
> 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users 
> group:
> 

Domain Users group is a standard group with a well-known SID of S-1-5-<domain id>-513, and its RID is 513. If you read through 'man idmap_rid' you'll see that UID/GID = range base offset + RID. In other words, if you want to get the actual RID of a security principal in your domain you should substract from their UID/GID on your system the number 1007000000, which is apparently is the base offset for the UID/GID range you've assigned for that domain in your system.

On Thursday, 13 June 2019 09:11:32 PDT Rowland penny via samba wrote:
> I do not really care what Microsoft calls them, to me a SID identifies a 
> domain, a RID identifies an object in a domain and a SID-RID is a 
> combination of the two and identifies an object in a particular domain.
> 
> If you want to call a SID-RID a SID, be my guest, I will not stop you ;-)
> 
> Rowland
> 

It's not about what Alexey Nikitin, Rowland Penny or Microsoft wants to call things, it's about making sure that people don't get confused when they discuss these topics off this list.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20190613/2ffd941c/signature.sig>


More information about the samba mailing list