Nesting of local groups (SID_NAME_ALIAS)

Rowland Penny rpenny at samba.org
Thu Mar 16 19:47:51 UTC 2023 


On 16/03/2023 19:20, Pavel Filipenský via samba-technical wrote:
> Hi,
> 
> windbind does not correctly display members for e.g. BUILTIN/users. It 
> shows nothing:
> 
> ./bin/wbinfo --group-info BUILTIN/users
> BUILTIN/users:x:100001:
> 
> 
> Given that "BUILTIN\Users" has 1 member "ADDOMAIN\Domain Users", it 
> should instead show:
> 
> ./bin/wbinfo --group-info "ADDOMAIN/domain users"
> ADDOMAIN/domain 
> users:x:100006:ADDOMAIN/joe,ADDOMAIN/jane,ADDOMAIN/samba2008r2$,ADDOMAIN/samba2003$,ADDOMAIN/administrator,ADDOMAIN/krbtgt,ADDOMAIN/testallowed account,ADDOMAIN/testupnspn,ADDOMAIN/testdenied,ADDOMAIN/alice,ADDOMAIN/srv_account,ADDOMAIN/bob
> 
> 
> I am working on the fix. One part is to call 
> dcerpc_samr_GetMembersInAlias() instead of the wrong 
> dcerpc_samr_GetAliasMembership() in source3/winbindd/winbindd_rpc.c.
> Another part is to change the code dealing with nested groups / aliases. 
> For that, I need to understand if aliases (SID_NAME_ALIAS) can be 
> nested, like groups (SID_NAME_DOM_GRP).
> Reading the Microsoft documentation 
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/597504d8-5408-4629-9d81-aab661e6c953:
> 
> /A local group can contain user accounts that are local to the computer 
> and user accounts and global groups from their own domain./
> 
> It looks that "Local groups" which I believe is BUILTIN/users 
> (SID_NAME_ALIAS) cannot contain another "Local group". I have tested 
> that also on Windows server using lusrmgr.msc and such nesting was not 
> possible.
> 
> However, samba server allows such nesting:
> 
> bin/net sam createlocalgroup TestGroup1
> bin/net sam createlocalgroup TestGroup2
> bin/net sam addmem TestGroup1 TestGroup2
> 
> 
> Can I assume that SID_NAME_ALIAS cannot be nested?
> 
> 
> Best regards,
> Pavel

My understanding of the BUILTIN groups is that they do contain 'local 
groups', but that is 'local' to the domain, not the computer, or have I 
misunderstood something.
There is also the point that I have never used BUILTIN\users and never 
missed it.
What is your use case for this ?

Rowland

More information about the samba-technical mailing list