S-1-5-21-Local-SAM-SID-513 -> LOCAL-SAM-NAME\None
Ralph Boehme
slow at samba.org
Fri Aug 7 17:38:03 UTC 2020
Am 8/7/20 um 7:25 PM schrieb Jeremy Allison:
> On Fri, Aug 07, 2020 at 06:52:24PM +0200, Ralph Boehme wrote:
>> Am 8/7/20 um 6:37 PM schrieb Jeremy Allison:
>>> OK, what it looks like is a call that can *never* fail
>>> on Windows - e.g. looking up S-1-5-[LOCAL-DOMAIN-PREFIX]-513
>>> must *always* map to "Domain Users" group.
>>
>> but why on earth do we return "None" instead of "Domain Users"?
>
> Well I'm guessing that there might already be a UNIX "Domain Users"
> group, but someone didn't map it to RID-513.
hm, but that doesn't interfere with SID <-> Name mapping, only with SID
<-> id mapping which is another story.
> "None" was probably considered a safer choice. Dunno though.
Why not call it what it is? If you query a Windows machine for the local
RID 513 it will answer "Domain Users" so should we, shouldn't we?
> Ah, look here source3/passdb/passdb.c:
>
> bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
> enum lsa_SidType *type)
> {
> GROUP_MAP *map;
> bool ret;
>
> /* Windows treats "MACHINE\None" as a special name for
> rid 513 on non-DCs. You cannot create a user or group
> name "None" on Windows. You will get an error that
> the group already exists. */
oh, that is interesting. I'll check if this is still true later on.
Thanks for finding this piece of code! :)
Thanks!
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200807/af921b09/signature.sig>
More information about the samba-technical
mailing list