Re: getent gid does not return group name
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: getent gid does not return group name
- From: Thomas Loimer <thomas.loimer [at] tuwien.ac.at>
- To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: getent gid does not return group name
- Date: Mon, 16 Nov 2015 09:25:53 +0100
On Fri, 6 Nov 2015, Thomas Loimer wrote:
When using
map group gidNumber objectSid:S-1-5-21-12341...
in /etc/nslcd.conf, then
getent groupname
correctly returns the group information, including the gid (1234), but
getent 1234
fails.
On 2015-11-07 08:46, Arthur de Jong wrote:
The length of the SID value when using the objectSid mapping really
matters. For the translation from objectSid to gid and uid it should
always just use the last bit only but for constructing the full SID from
the gid or uid the configured value is used.
Hope this helps.
Kind regards,
Thanks for clueing me in, I had to have a closer look at that Sid-business.
To answer my own question: When retrieving information from the
ldap-server, I got, e.g.
objectSid:: AAU--base64string---AA==
Decoding that string yielded the Sid-number, with each pair of bytes
swapped,
echo AAU--base64string---AA== | base64 -d | od -x
000000 0501 0000 0000 0500 0015 0000 097f 1f75
000020 1c1d 1a1b 2c2d 2a2b
The correct number is then, in hex,
1-5-21-1f75097f-1a1b1c1d-2a2b2c2d
The site
http://www.selfadsi.org/deep-inside/microsoft-sid-attributes.htm
was helpful for me.
Best regards,
--
Thomas
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/