Re: Mapping of RIDs to uid_t and gid_t

Luke Kenneth Casson Leighton (lkcl@switchboard.net)
Fri, 3 Apr 1998 15:39:33 +0100 (BST)

Date:	Fri, 3 Apr 1998 15:39:33 +0100 (BST)
From:	Luke Kenneth Casson Leighton <lkcl@switchboard.net>
To:	Multiple recipients of list <samba-technical@samba.anu.edu.au>, Jeremy Allison <jallison@whistle.com>
Subject: Re: Mapping of RIDs to uid_t and gid_t
In-Reply-To: <35244092.446B9B3D@whistle.com>

On Fri, 3 Apr 1998, Jeremy Allison wrote:

> I have been doing some thinking of late on the
> mapping of UNIX uid_t's and gid_t's to NT domain
> 32 bit RID's. Here are my thoughts so far.
>
> Comments are welcome, as I'm going to be coding
> these up for Samba soon :-).
>
> The problem:
>
> The last component of an NT SID is a 32bit
> unsigned 'RID' - or relative ID. Both users
> groups, aliases (whatever *they* are :-) and
> machine accounts in an NT SAM map into this
> space, and NT has some 'well known' numbers
> that must be the same across different domains
> - they're hard-coded into the include files for
> NT (just to be helpful :-).
>
> The possible different types of RID are :
>
> User, Group, Domain, Alias, WellKnownGroup,
> Deleted, Invalid and Unknown.
>
> The 'well known' numbers are:
>

> Well known group id's
> ---------------------
>
> Administrators - 544
> Users - 545
> Guests - 546

these are domain groups

> Well known aliases (what *exactly* are these ?)
> -----------------------------------------------
>
> Administrators - 544
> Users - 545
> Guests - 546
> Power users - 547
> Account operators - 548
> System operators - 549
> Printer operators - 550
> Backup operators - 551
> Replicator - 552

these are _local_ machine groups.

when you do a lookup on a stand-alone NT server (LsaQueryInfoPolicy) that
is a member of a domain, and you look up level "3", you get back the SID
of the domain that that computer is a member of.

when you do a lookup at level "5", you get back the SID of the _machine_.
the _machine_ has its own local "domain", if you like.

the well-known aliases apply to these "local domains", whereas the well
known groups apply to the "remote domain".

does that make sense? does anyone agree / disagree / know better / can
explain this better? mr john terpestra, any ideas / comments?

luke