Re: getent gid does not return group name

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Thomas Loimer <thomas.loimer [at] tuwien.ac.at>
To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: getent gid does not return group name
Date: Mon, 16 Nov 2015 09:25:53 +0100

On Fri, 6 Nov 2015, Thomas Loimer wrote:

When using
 map group gidNumber objectSid:S-1-5-21-12341...
in /etc/nslcd.conf, then
 getent groupname
correctly returns the group information, including the gid (1234), but
 getent 1234
fails.

On 2015-11-07 08:46, Arthur de Jong wrote:


The length of the SID value when using the objectSid mapping really
matters. For the translation from objectSid to gid and uid it should
always just use the last bit only but for constructing the full SID from
the gid or uid the configured value is used.

Hope this helps.

Kind regards,

Thanks for clueing me in, I had to have a closer look at that Sid-business.

To answer my own question: When retrieving information from theldap-server, I got, e.g.

objectSid:: AAU--base64string---AA==

Decoding that string yielded the Sid-number, with each pair of bytesswapped,

echo AAU--base64string---AA== | base64 -d | od -x
000000 0501 0000 0000 0500 0015 0000 097f 1f75
000020 1c1d 1a1b 2c2d 2a2b
The correct number is then, in hex,
1-5-21-1f75097f-1a1b1c1d-2a2b2c2d
The site
http://www.selfadsi.org/deep-inside/microsoft-sid-attributes.htm
was helpful for me.

Best regards,

--
Thomas

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

getent gid does not return group name, Thomas Loimer
- Re: getent gid does not return group name, Arthur de Jong
  - Re: getent gid does not return group name, Thomas Loimer

Prev by Date: Fwd: $hostname returns the FQDN
Next by Date: Re: Failed to login using a serial connection.
Previous by thread: Re: getent gid does not return group name
Next by thread: Failed to login using a serial connection.