Re: [Patch] Add support for Windows BUILTIN groups

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: [Patch] Add support for Windows BUILTIN groups
Date: Fri, 31 Jan 2014 21:40:15 +0100

On Fri, 2014-01-31 at 14:26 +0100, Davy Defaud wrote:
> As you can see, there are two other ranges plus an isolated group
> (579) that are prefixed by S-1-5-32. So my patch should concern the
> following RIDs: 544-552, 554-562, 569, 573-580. But, perhaps a safer,
> simpler and compatible way to do the work could be to search in
> S-1-5-21-domain first and then, if nothing is found, in S-1-5-32 (only
> for RIDs between 500 and 999, of course). WDYT?

That would be possible but the code currently doesn't handle "no results
found" especially. This would mean that the code (generated with macros)
would become much more complicated. It also means multiple searches need
to be done for these lookups.

> The RIDs are supposed to be unique, whatever their SID prefixes are.
> But we could give priority to domain groups, if we choose the
> proposition above...

I think I prefer the solution of, given a RID, build the appropriate SID
to search for. Since non-default RIDs start with 1000 anyway (if you
believe wikipedia), there shouldn't be a problem to map RIDs 544-522 to
S-1-5-32 because S-1-5-21-domain-544 should not exist.

So I would say, use S-1-5-32 for the following and use S-1-5-21-domain
for the rest.

RID range  SID prefix  Name
544 - 552  S-1-5-32    built-in groups
554 - 562  S-1-5-32    additional built-in groups
569 - 569  S-1-5-32    Cryptographic Operators
573 - 580  S-1-5-32    additional built-in groups

And use the domain SID for all other RIDs. A few questions though (AD
experts, please step up ;) ):

- are all those groups useful to have on the (Unix) system?
- should something similarly be done with users (they share the
  same namespace with groups in AD)?
- should the SIDs as returned from AD also be checked against
  these ranges (perhaps even ignoring SIDs with a RID < 100
  altogether because they seem to be internal anyway and
  can be present in multiple SIDs)?
  (currently, only the RID part of the SID is considered)

Anyway, I've pushed the initial change for now (only containing the
544-552 range), thanks for your contribution.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

[Patch] Add support for Windows BUILTIN groups, Davy Defaud
- Re: [Patch] Add support for Windows BUILTIN groups, Arthur de Jong
  - Re: [Patch] Add support for Windows BUILTIN groups, Davy Defaud
    - Re: [Patch] Add support for Windows BUILTIN groups, Arthur de Jong

Prev by Date: Re: [Patch] Add support for Windows BUILTIN groups
Next by Date: Re: [Patch] Add support for Windows BUILTIN groups
Previous by thread: Re: [Patch] Add support for Windows BUILTIN groups
Next by thread: Re: [Patch] Add support for Windows BUILTIN groups