RSS feed

Re: [Patch] Add support for Windows BUILTIN groups

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [Patch] Add support for Windows BUILTIN groups

Le 31/01/2014 21:40, Arthur de Jong a écrit :
> On Fri, 2014-01-31 at 14:26 +0100, Davy Defaud wrote:
>> As you can see, there are two other ranges plus an isolated group
>> (579) that are prefixed by S-1-5-32. So my patch should concern the
>> following RIDs: 544-552, 554-562, 569, 573-580. But, perhaps a safer,
>> simpler and compatible way to do the work could be to search in
>> S-1-5-21-domain first and then, if nothing is found, in S-1-5-32 (only
>> for RIDs between 500 and 999, of course). WDYT?
> That would be possible but the code currently doesn't handle "no results
> found" especially. This would mean that the code (generated with macros)
> would become much more complicated. It also means multiple searches need
> to be done for these lookups.
>> The RIDs are supposed to be unique, whatever their SID prefixes are.
>> But we could give priority to domain groups, if we choose the
>> proposition above...
> I think I prefer the solution of, given a RID, build the appropriate SID
> to search for. Since non-default RIDs start with 1000 anyway (if you
> believe wikipedia), there shouldn't be a problem to map RIDs 544-522 to
> S-1-5-32 because S-1-5-21-domain-544 should not exist.
> So I would say, use S-1-5-32 for the following and use S-1-5-21-domain
> for the rest.
> RID range  SID prefix  Name
> 544 - 552  S-1-5-32    built-in groups
> 554 - 562  S-1-5-32    additional built-in groups
> 569 - 569  S-1-5-32    Cryptographic Operators
> 573 - 580  S-1-5-32    additional built-in groups
> And use the domain SID for all other RIDs. A few questions though (AD
> experts, please step up ;) ):
> - are all those groups useful to have on the (Unix) system?
> - should something similarly be done with users (they share the
>   same namespace with groups in AD)?
> - should the SIDs as returned from AD also be checked against
>   these ranges (perhaps even ignoring SIDs with a RID < 100
>   altogether because they seem to be internal anyway and
>   can be present in multiple SIDs)?
>   (currently, only the RID part of the SID is considered)

I let the experts speak...

> Anyway, I've pushed the initial change for now (only containing the
> 544-552 range), thanks for your contribution.

Thank you very much Arthur.

To unsubscribe send an email to or see