Re: [Patch] Add support for Windows BUILTIN groups
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [Patch] Add support for Windows BUILTIN groups
- From: Davy Defaud <davy.defaud [at] free.fr>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: [Patch] Add support for Windows BUILTIN groups
- Date: Mon, 03 Feb 2014 18:48:33 +0100
Le 31/01/2014 21:40, Arthur de Jong a écrit :
> On Fri, 2014-01-31 at 14:26 +0100, Davy Defaud wrote:
>> As you can see, there are two other ranges plus an isolated group
>> (579) that are prefixed by S-1-5-32. So my patch should concern the
>> following RIDs: 544-552, 554-562, 569, 573-580. But, perhaps a safer,
>> simpler and compatible way to do the work could be to search in
>> S-1-5-21-domain first and then, if nothing is found, in S-1-5-32 (only
>> for RIDs between 500 and 999, of course). WDYT?
> That would be possible but the code currently doesn't handle "no results
> found" especially. This would mean that the code (generated with macros)
> would become much more complicated. It also means multiple searches need
> to be done for these lookups.
>
>> The RIDs are supposed to be unique, whatever their SID prefixes are.
>> But we could give priority to domain groups, if we choose the
>> proposition above...
> I think I prefer the solution of, given a RID, build the appropriate SID
> to search for. Since non-default RIDs start with 1000 anyway (if you
> believe wikipedia), there shouldn't be a problem to map RIDs 544-522 to
> S-1-5-32 because S-1-5-21-domain-544 should not exist.
>
> So I would say, use S-1-5-32 for the following and use S-1-5-21-domain
> for the rest.
>
> RID range SID prefix Name
> 544 - 552 S-1-5-32 built-in groups
> 554 - 562 S-1-5-32 additional built-in groups
> 569 - 569 S-1-5-32 Cryptographic Operators
> 573 - 580 S-1-5-32 additional built-in groups
>
> And use the domain SID for all other RIDs. A few questions though (AD
> experts, please step up ;) ):
>
> - are all those groups useful to have on the (Unix) system?
> - should something similarly be done with users (they share the
> same namespace with groups in AD)?
> - should the SIDs as returned from AD also be checked against
> these ranges (perhaps even ignoring SIDs with a RID < 100
> altogether because they seem to be internal anyway and
> can be present in multiple SIDs)?
> (currently, only the RID part of the SID is considered)
I let the experts speak...
>
> Anyway, I've pushed the initial change for now (only containing the
> 544-552 range), thanks for your contribution.
>
Thank you very much Arthur.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/