How to determine if a SID is group or user?

Gerald Carter gcarter at valinux.com
Thu Nov 9 19:59:30 GMT 2000 

John M Trostel wrote:
> 
> Well, I'm trying to come back through the "set_nt_acl" 
> call, with a pre-alpha implementation of XFS acls.  There 
> are more than the standard 3 ACEs created and I need (when 
> they are read back in as is done in "unpack_nt_permissions") 
> to determine if the ACE is a user or group ACE.
> 
> Is the 'last bit' the high order or low order bit here? 
> (And is that the one I see in the dacl->ace[i] structure?
> 
> typedef struct security_ace_info
> {
>     uint8 type;  /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
>     uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
>     uint16 size;
> 
>     SEC_ACCESS info;
>     DOM_SID sid;
> 
> } SEC_ACE;

Ah....Well first you will need to get the rid from the 
last 32bits of the DOM_SID.  Don't know if there is a 
function for this (would think so).  Check around and see.

Be aware that I have not worked on the security descriptor 
code that much and not at all on ACLs, so take what I say
with a grain of salt :-)

(And yes that would be the low bit)


from include/smb.h:

/* DOM_SID - security id */
typedef struct sid_info
{
  uint8  sid_rev_num;             /* SID revision number */
  uint8  num_auths;               /* number of sub-authorities */
  uint8  id_auth[6];              /* Identifier Authority */
  /*
   * Note that the values in these uint32's are in *native* byteorder,
   * not neccessarily little-endian...... JRA.
   */
  uint32 sub_auths[MAXSUBAUTHS];  /* pointer to sub-authorities. */

} DOM_SID;



from passdb/passdb.c:

/*******************************************************************
 Decides if a RID is a user or group RID.
 ********************************************************************/
BOOL pdb_rid_is_user(uint32 rid)
{
  /* lkcl i understand that NT attaches an enumeration to a RID
   * such that it can be identified as either a user, group etc
   * type.  there are 5 such categories, and they are documented.
   */
   if(pdb_rid_is_well_known(rid)) {
      /*
       * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
       * and DOMAIN_USER_RID_GUEST.
       */
     if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
       return True;
   } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
     return True;
   }
   return False;
}







Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list