I'm trying to grasp pg. 154 of the "Official SAMBA-3" book by Terpstra and Vernooij and I'm just missing a critical networking concept. I understand that SIDs are the numerical identification of a user for the Windows world. I understand that UIDs are the equivalent for the *nix world. But what the @$@! is a Relative IDentifier (RID)?!? On page 153 the command to map a windows group to a *nix group - no mention of RIDs. Then on 154 it is stressed that under no circumstances should your *nix groups or users trod on window's assigned RIDs for Domain Admins, Domian Users, et. all. Another example of groupmap - oh look it lists a RID? No mention as to where a RID comes from or can be viewed. Do they mean that I can't have a user in Fedora that is 500? Isn't that a UID? Is a UID a RID? I've used Fedora for a year now and have never typed a RID modifying command. I'm sure this is just so basic. But I don't know it and can't find it and it's critical to understand it. T.I.A.
On Sat, Aug 13, 2005 at 05:00:16PM -0700, Moondance Foxmarnick wrote:> > But what the @$@! is a Relative IDentifier (RID)?!? > > On page 153 the command to map a windows group to a *nix group - no mention > of RIDs.A SID is a 128 bit identifier of a user/group/computer on a network (a GUUID really). It consists of a 96-bit "domain" id, with a 32-bit "relative id" (RID) suffix. So for a given RID, you prepend the 96-bit domain id to get the full SID. SIDs are supposed to be "structured", but for real users/groups and computers they are of the form described above. Certain (less than 128 bit) SIDs are "well known" SIDs. Such as the "Administrators" group. Jeremy.
OK - I'll bite! Clearly you have read the documentation I have written and find it deficient. That's OK! Now, will you help me to fix the deficiency please? I need your help to make the documentation more useful. Below is my side of this challenge you have issued. Please help me over my myopia. On Saturday 13 August 2005 18:00, Moondance Foxmarnick wrote:> I'm trying to grasp pg. 154 of the "Official SAMBA-3" book by Terpstra and > Vernooij and I'm just missing a critical networking concept.Good. Let's fix this now. I presume that we are talking about the current version of this book. Right? Here's the URL: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf If this is NOT the version you checked, please let me know precisely the URL from which you obtained this and the creation date so I can refer to the same document as you have.> I understand that SIDs are the numerical identification of a user for the > Windows world.Correct. I checked the index for RID. The first reference is in section 4.1 (page 46 in my build) where it says: <quote> A domain provides a unique network security identifier (SID). Domain user and group security identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to the account. User and group SIDs (the network SID plus the RID) can be used to create access control lists (ACLs) attached to network resources to provide organizational access control. UNIX systems recognize only local security identifiers. </quote> So from this it might be interpreted that each Windows account has a unique RID, just as a UNIX user has a unique UID. Every Windows machine and every Windows security domain has a unique SID. A user SID is made up of the machine or domain SID and is catenated with a RID. If that is not your interpretation please help me to understand the source of confusion in the quoted section.> I understand that UIDs are the equivalent for the *nix world.A user account that has been created on a Windows workstation will have a locally assigned RID. If an account is created in a Windows NT4 or Active Directory Domain it will be allocated a unique RID within that security context.> But what the @$@! is a Relative IDentifier (RID)?!?A RID is like a UID or a GID. Where UNIX has separate IDs for users and groups, Windows has just one - the RID. But the workstation referred to above has its SID. Every Windows workstation has a unique SID. Every Windows NT4 or ADS domain has a SID also. A user SID is made up of the SID of the security context within which it is created plus the RID. A SID looks like this: S-1-5-21-11009899-23411980-22115678 If the user RID within the context of that SID has the value 879, then the user SID will be: S-1-5-21-11009899-23411980-22115678-879> > On page 153 the command to map a windows group to a *nix group - no mention > of RIDs.Sorry. I really goofed on that didn't I!> Then on 154 it is stressed that under no circumstances should your *nix > groups or users trod on window's assigned RIDs for Domain Admins, Domian > Users, et. all. Another example of groupmap - oh look it lists a RID?Please explain. What is your point now?> No mention as to where a RID comes from or can be viewed.Really? I believe that is was in fact covered in section 4.1 - but if that is not good enough please give me suggested text and a place you would like to see it located within the document (by section number please - not by page number).> Do they mean that I can't have a user in Fedora that is 500?Sheesh! Really not clear is it! UIDs are mapped to RIDs. Since Windows allocates RIDs sequentially for users, groups and for trust accounts we have to provide a way of mapping all UNIX users to a RID that is absolutely unique. So Samba does algorithmic mapping. The RIDs are calculated like this: User_RID = UID * 2 + 1000 Group_RID = GID * 2 + 1001 That means that a UID of 500 will produce a RID of 2000.> Isn't that a UID?No! I think I have clarified that.> Is a UID a RID?No. A UID is a UNIX identifier. A RID is a Windows identifier. Samba provides means to map them, but you can override the algorithmic mapping using the pdbedit and the net utilities. If you do override the mapping, just make sure you get no overlap between Windows user and group RIDs.> I've used Fedora for a year now and have never typed a RID modifying > command.That is not a crime. No penalty is due. Most admins never need to mess with RIDs. If you follow the guidelines I documented you should not ever need to mess with the RIDs. That's the whole point of following standardized procedures as shown in the documentation.> > I'm sure this is just so basic. But I don't know it and can't find it and > it's critical to understand it.Right. Now that I have explained it, is this any clearer? If it is, please help me by rewriting or ammending the documentation to remove the confusion. When can I expect your patch, documentation update submission or a detailed bug report on https://bugzilla.samba.org to help get this straightened out? - John T.
> On Sat, Aug 13, 2005 at 05:00:16PM -0700, Moondance Foxmarnick wrote: >> >> But what the @$@! is a Relative IDentifier (RID)?!? >> >> On page 153 the command to map a windows group to a *nix group - no mention >> of RIDs. > > A SID is a 128 bit identifier of a user/group/computer on a network > (a GUUID really). It consists of a 96-bit "domain" id, with a 32-bit > "relative id" (RID) suffix.Official Samba3 Howto is certanly missing such a clear definition :-) I would expand user/group/computer to user/group/computer/domain/interdomaintrust/etc :-) Every instance in SMB world has to have its own SID> > So for a given RID, you prepend the 96-bit domain id to get the full > SID. > > SIDs are supposed to be "structured", but for real users/groups > and computers they are of the form described above. > > Certain (less than 128 bit) SIDs are "well known" SIDs. Such as > the "Administrators" group. > > Jeremy. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
When you say: " Every instance in SMB world has to have its own SID " Does that mean that on top of every logon, say- for each folder connection, a SID is generated? And if so, is this a temporary SID like a token for the session, or is it stored internally to SAMBA? T.I.A. -Moondance -----Original Message----- From: Ilia Chipitsine [mailto:ilia@paramon.ru] Sent: Sunday, August 14, 2005 2:56 AM To: Jeremy Allison Cc: Moondance Foxmarnick; SAMBA Subject: Re: [Samba] SIDs and UIDs and RIDs - Oh My!> On Sat, Aug 13, 2005 at 05:00:16PM -0700, Moondance Foxmarnick wrote: >> >> But what the @$@! is a Relative IDentifier (RID)?!? >> >> On page 153 the command to map a windows group to a *nix group - nomention>> of RIDs. > > A SID is a 128 bit identifier of a user/group/computer on a network > (a GUUID really). It consists of a 96-bit "domain" id, with a 32-bit > "relative id" (RID) suffix.Official Samba3 Howto is certanly missing such a clear definition :-) I would expand user/group/computer to user/group/computer/domain/interdomaintrust/etc :-) Every instance in SMB world has to have its own SID> > So for a given RID, you prepend the 96-bit domain id to get the full > SID. > > SIDs are supposed to be "structured", but for real users/groups > and computers they are of the form described above. > > Certain (less than 128 bit) SIDs are "well known" SIDs. Such as > the "Administrators" group. > > Jeremy. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
On Sunday 14 August 2005 18:40, Moondance Foxmarnick wrote:> When you say: " Every instance in SMB world has to have its own SID " > Does that mean that on top of every logon, say- for each folder connection, > a SID is generated?No. A SID represents a security context. For example, every Windows machine has local accounts within the security context of the local machine which has a unique SID. Every domain (NT4, ADS, Samba) contains accounts that exist within the domain security context which is defined by the domain SID. A domain member server will have a SID that differs from the domain SID. The domain member server can be configured to regard all domain users as local users. It can also be configured to recognize domain users and groups as non-local. SIDs are persistent.> And if so, is this a temporary SID like a token for the session, or is it > stored internally to SAMBA?The Samba domain and machine SIDs are stored in /etc/samba/secrets.tdb. You can view the contents of this file using tdbdump. PS: I have updated the PDC Chapter to provide a more detailed explanation of the relationship between the RID and the SID. The on-line version of the HOWTO should reflect this change within 48 hours. - John T.