Re: [Patch] Add support for Windows BUILTIN groups

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Thu, 2014-01-30 at 17:04 +0100, Davy Defaud wrote:
> Here's a very quick and simple patch in order to get Windows BUILTIN
> groups when searching a group by gid (RID).

Thanks for the patch. I don't have access to an AD instance to test this
but the patch seems simple enough.

> The aim of this patch is to map the gid (gidNumber) to an AD SID RID
> between 544 and 552, because in that case the SID prefix is not the
> domain's prefix (S-1-5-21-dddddddddd-ddddddddd-ddddddddd) but the
> BUILTIN SID prefix (1-5-32).

Is it correct that there normally should not be any domain groups in AD
that have a RID in the range 544 to 522?

> For example, if you add a user to the Administrators builtin group
> (S-1-5-21-544), now you should be able to get this group through nslcd,
> instead of having this error message:

That should probably be S-1-5-32-544 if I understand correctly.

> $ groups myuser
> myuser : Domain Users groups: cannot find name for group ID 544
> 544 compta pantin
> 
> Of course, this could be made in a more configurable way...

If this range is never used for domain groups I don't see a strong need
for configurability unless there are other ranges that may also need to
be mapped to other SIDs.

There was a memory leak in your patch though: sid2search() returns a
freshly allocated string every time but I've fixed that. I'll push the
change via Git if you can confirm that the ranges shouldn't clash.

Thanks!

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/