S-1-5-21-Local-SAM-SID-513 -> LOCAL-SAM-NAME\None
Jeremy Allison
jra at samba.org
Fri Aug 7 17:25:22 UTC 2020
On Fri, Aug 07, 2020 at 06:52:24PM +0200, Ralph Boehme wrote:
> Am 8/7/20 um 6:37 PM schrieb Jeremy Allison:
> > OK, what it looks like is a call that can *never* fail
> > on Windows - e.g. looking up S-1-5-[LOCAL-DOMAIN-PREFIX]-513
> > must *always* map to "Domain Users" group.
>
> but why on earth do we return "None" instead of "Domain Users"?
Well I'm guessing that there might already be a UNIX "Domain Users"
group, but someone didn't map it to RID-513.
"None" was probably considered a safer choice. Dunno though.
Ah, look here source3/passdb/passdb.c:
bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
enum lsa_SidType *type)
{
GROUP_MAP *map;
bool ret;
/* Windows treats "MACHINE\None" as a special name for
rid 513 on non-DCs. You cannot create a user or group
name "None" on Windows. You will get an error that
the group already exists. */
if ( strequal( name, "None" ) ) {
*rid = DOMAIN_RID_USERS;
*type = SID_NAME_DOM_GRP;
return True;
}
and here source3/groupdb/mapping.c:get_domain_group_from_sid(struct dom_sid sid, GROUP_MAP *map):
/* special case check for rid 513 */
if ( !ret ) {
uint32_t rid;
sid_peek_rid( &sid, &rid );
if ( rid == DOMAIN_RID_USERS ) {
map->nt_name = talloc_strdup(map, "None");
if (!map->nt_name) {
return false;
}
map->comment = talloc_strdup(map, "Ordinary Users");
if (!map->comment) {
return false;
}
sid_copy( &map->sid, &sid );
map->sid_name_use = SID_NAME_DOM_GRP;
map->gid = (gid_t)-1;
return True;
}
return False;
More information about the samba-technical
mailing list