Re: [Patch] Add support for Windows BUILTIN groups

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Davy Defaud <davy.defaud [at] free.fr>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: [Patch] Add support for Windows BUILTIN groups
Date: Mon, 03 Feb 2014 18:48:33 +0100

Le 31/01/2014 21:40, Arthur de Jong a écrit :
> On Fri, 2014-01-31 at 14:26 +0100, Davy Defaud wrote:
>> As you can see, there are two other ranges plus an isolated group
>> (579) that are prefixed by S-1-5-32. So my patch should concern the
>> following RIDs: 544-552, 554-562, 569, 573-580. But, perhaps a safer,
>> simpler and compatible way to do the work could be to search in
>> S-1-5-21-domain first and then, if nothing is found, in S-1-5-32 (only
>> for RIDs between 500 and 999, of course). WDYT?
> That would be possible but the code currently doesn't handle "no results
> found" especially. This would mean that the code (generated with macros)
> would become much more complicated. It also means multiple searches need
> to be done for these lookups.
>
>> The RIDs are supposed to be unique, whatever their SID prefixes are.
>> But we could give priority to domain groups, if we choose the
>> proposition above...
> I think I prefer the solution of, given a RID, build the appropriate SID
> to search for. Since non-default RIDs start with 1000 anyway (if you
> believe wikipedia), there shouldn't be a problem to map RIDs 544-522 to
> S-1-5-32 because S-1-5-21-domain-544 should not exist.
>
> So I would say, use S-1-5-32 for the following and use S-1-5-21-domain
> for the rest.
>
> RID range  SID prefix  Name
> 544 - 552  S-1-5-32    built-in groups
> 554 - 562  S-1-5-32    additional built-in groups
> 569 - 569  S-1-5-32    Cryptographic Operators
> 573 - 580  S-1-5-32    additional built-in groups
>
> And use the domain SID for all other RIDs. A few questions though (AD
> experts, please step up ;) ):
>
> - are all those groups useful to have on the (Unix) system?
> - should something similarly be done with users (they share the
>   same namespace with groups in AD)?
> - should the SIDs as returned from AD also be checked against
>   these ranges (perhaps even ignoring SIDs with a RID < 100
>   altogether because they seem to be internal anyway and
>   can be present in multiple SIDs)?
>   (currently, only the RID part of the SID is considered)

I let the experts speak...

>
> Anyway, I've pushed the initial change for now (only containing the
> 544-552 range), thanks for your contribution.
>

Thank you very much Arthur.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

[Patch] Add support for Windows BUILTIN groups, Davy Defaud
- Re: [Patch] Add support for Windows BUILTIN groups, Arthur de Jong
  - Re: [Patch] Add support for Windows BUILTIN groups, Davy Defaud
    - Re: [Patch] Add support for Windows BUILTIN groups, Arthur de Jong
      - Re: [Patch] Add support for Windows BUILTIN groups, Davy Defaud

Prev by Date: Re: [Patch] Add support for Windows BUILTIN groups
Next by Date: Ineffective pam_authz_search
Previous by thread: Re: [Patch] Add support for Windows BUILTIN groups
Next by thread: Ineffective pam_authz_search