Alexey A Nikitin
2019-Jun-13 06:55 UTC
[Samba] Samba + sssd deployment: success and failure
On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba wrote:> >> I think you mean 'RID' instead of 'SID' > > > Yes, you're right. The Windows people seem to use the terms synonymously. > I cannot help that, the SID identifies the domain and the RID is > appended to the end of the SID and identifies the object (user, > group,computer etc) >I believe a small clarification is due here: SID does identify individual objects. It has a 96-bit (12-byte) pseudo-random section that identifies a domain or an individual computer relative to which the RID is effective (IIRC some sources refer to it as 'source of authority') as well as a 32-bit RID (relative ID, similar to UID/GID in POSIX except it is a single 32-bit space for any and all security principals in a domain/machine) itself as its components. AFAIK the only exceptions to the rule of SID including RID as its necessary part are Service SIDs and Machine SIDs. The Service SIDs are used to manage permissions for individual services (longer than typical SID and is based on SHA1 hash of the service name) and Machine SIDs are effectively just a special case of the SID prefix without RID. That said the machine accounts in AD will have full SID with RID, and that SID will not match the local machine SID at all. If any of the above is a misconception I have - please correct me. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <lists.samba.org/pipermail/samba/attachments/20190612/6dd751c0/signature.sig>
On 13/06/2019 07:55, Alexey A Nikitin wrote:> On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba wrote: >>>> I think you mean 'RID' instead of 'SID' >>> Yes, you're right. The Windows people seem to use the terms synonymously. >> I cannot help that, the SID identifies the domain and the RID is >> appended to the end of the SID and identifies the object (user, >> group,computer etc) >> > I believe a small clarification is due here: SID does identify individual objects. It has a 96-bit (12-byte) pseudo-random section that identifies a domain or an individual computer relative to which the RID is effective (IIRC some sources refer to it as 'source of authority') as well as a 32-bit RID (relative ID, similar to UID/GID in POSIX except it is a single 32-bit space for any and all security principals in a domain/machine) itself as its components. AFAIK the only exceptions to the rule of SID including RID as its necessary part are Service SIDs and Machine SIDs. The Service SIDs are used to manage permissions for individual services (longer than typical SID and is based on SHA1 hash of the service name) and Machine SIDs are effectively just a special case of the SID prefix without RID. That said the machine accounts in AD will have full SID with RID, and that SID will not match the local machine SID at all. > > If any of the above is a misconception I have - please correct me.You might think that and you may be correct in what you say, but it still doesn't alter the fact the SID by itself identifies the domain and to identify an individual object it gets a RID added to the end of the SID. The SID, can be in the form 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' or 'S-1-5-32' (there are others) Until you add a RID to the above, it only identifies a domain, but once you do, it identifies? an individual object in a domain, S-1-5-32-548 identifies the 'Account Operators' group in the BUILTIN domain. You cannot call something a SID, then add a RID to it and continue to call it a SID, 'SID-RID' perhaps would be a better term. Rowland
Alexey A Nikitin
2019-Jun-13 15:48 UTC
[Samba] Samba + sssd deployment: success and failure
On Thursday, 13 June 2019 00:41:09 PDT Rowland penny via samba wrote:> On 13/06/2019 07:55, Alexey A Nikitin wrote: > > On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba wrote: > >>>> I think you mean 'RID' instead of 'SID' > >>> Yes, you're right. The Windows people seem to use the terms synonymously. > >> I cannot help that, the SID identifies the domain and the RID is > >> appended to the end of the SID and identifies the object (user, > >> group,computer etc) > >> > > I believe a small clarification is due here: SID does identify individual objects. It has a 96-bit (12-byte) pseudo-random section that identifies a domain or an individual computer relative to which the RID is effective (IIRC some sources refer to it as 'source of authority') as well as a 32-bit RID (relative ID, similar to UID/GID in POSIX except it is a single 32-bit space for any and all security principals in a domain/machine) itself as its components. AFAIK the only exceptions to the rule of SID including RID as its necessary part are Service SIDs and Machine SIDs. The Service SIDs are used to manage permissions for individual services (longer than typical SID and is based on SHA1 hash of the service name) and Machine SIDs are effectively just a special case of the SID prefix without RID. That said the machine accounts in AD will have full SID with RID, and that SID will not match the local machine SID at all. > > > > If any of the above is a misconception I have - please correct me. > > You might think that and you may be correct in what you say, but it > still doesn't alter the fact the SID by itself identifies the domain and > to identify an individual object it gets a RID added to the end of the SID. > > The SID, can be in the form 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' > or 'S-1-5-32' (there are others) > > Until you add a RID to the above, it only identifies a domain, but once > you do, it identifies an individual object in a domain, S-1-5-32-548 > identifies the 'Account Operators' group in the BUILTIN domain. > > You cannot call something a SID, then add a RID to it and continue to > call it a SID, 'SID-RID' perhaps would be a better term. > > Rowland > > > >According to the MS docs SID=('S-'+version+identifier authority value+domain or computer identifier+RID). The SIDs that don't contain RID are the special cases of Machine SID, Domain SID, Service SID, and some predefined universal well-known SIDs [1]. According to the common use in MS tools SID encompasses RID. And even in Samba (wbinfo immediately comes to mind) SID also encompasses RID. More generally, the definition of SID is a unique identifier for a security principal, and to match that definition one security principal within a domain (or a local machine) has to be distinguished from another security principal within the same domain or machine, which is achieved through the RID part of the SID. So, RID is just a (sometimes optional, but in those contexts "SID+RID" also doesn't make any sense) part of SID, not a separate and independent piece. Now, I'm not going to even pretend that I understand AD DS and Samba better than you do - I rather obviously don't since I'm not the one answering people's questions - but I would like us to get the terminology straight before we have any serious discussion about any of it to avoid misunderstandings. Thank you, Alexey [1] docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers#security-identifier-architecture -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <lists.samba.org/pipermail/samba/attachments/20190613/cf2bba61/signature.sig>