RSS feed

Re: [Patch] Add support for Windows BUILTIN groups

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [Patch] Add support for Windows BUILTIN groups

On Thu, 2014-01-30 at 17:04 +0100, Davy Defaud wrote:
> Here's a very quick and simple patch in order to get Windows BUILTIN
> groups when searching a group by gid (RID).

Thanks for the patch. I don't have access to an AD instance to test this
but the patch seems simple enough.

> The aim of this patch is to map the gid (gidNumber) to an AD SID RID
> between 544 and 552, because in that case the SID prefix is not the
> domain's prefix (S-1-5-21-dddddddddd-ddddddddd-ddddddddd) but the
> BUILTIN SID prefix (1-5-32).

Is it correct that there normally should not be any domain groups in AD
that have a RID in the range 544 to 522?

> For example, if you add a user to the Administrators builtin group
> (S-1-5-21-544), now you should be able to get this group through nslcd,
> instead of having this error message:

That should probably be S-1-5-32-544 if I understand correctly.

> $ groups myuser
> myuser : Domain Users groups: cannot find name for group ID 544
> 544 compta pantin
> Of course, this could be made in a more configurable way...

If this range is never used for domain groups I don't see a strong need
for configurability unless there are other ranges that may also need to
be mapped to other SIDs.

There was a memory leak in your patch though: sid2search() returns a
freshly allocated string every time but I've fixed that. I'll push the
change via Git if you can confirm that the ranges shouldn't clash.


-- arthur - - --
To unsubscribe send an email to or see