Stable SIDs for "None"+'"Administrator" ?

Roland Mainz roland.mainz@nrubsig.org
Sat Nov 9 17:55:35 GMT 2024


On Sat, Nov 9, 2024 at 6:00 PM Corinna Vinschen via Cygwin
<cygwin@cygwin.com> wrote:
> On Nov  9 17:31, Roland Mainz via Cygwin wrote:
> > Does anyone know a list of SIDs which can be used to get the
> > user+group accounts for passwd entry "Adminstrator" and group entry
> > "None" ?
> >
> > Our problem is that the actual account names vary with the system
> > locale, e.g. group entry "None" is "Kein" in "de_DE",  "Aucun" in
> > fr_FR etc. ...
> > ... so far we thought we fixed this by doing a lookup via SID, and
> > then remembering the localised name.
> >
> > But: The SIDs are apparently not stable between Windows versions.
> > For example:
> > ---- snip ----
> > # Windows Server 2022/en
> > $ getent group None
> > None:S-1-5-21-168624908-967194555-3343779530-513:197121:
> > # Windows Server 2019
> > $ getent group None
> > None:S-1-5-21-3286904461-661230000-4220857270-513:197121
> > ---- snip ----
>
> They *are* stable in that they are
>
>   ${Machine-SID}-513
>
> > And if there is no such list, would $ mkgroup | egrep
> > ':S-1-5-21-.+-513:' # be a suitable workaround ?
>
> No.
>
>   ${AD-SID|-513 == "Domain Users"
>
> I have not the faintest idea what the MS guys were thinking at the time,
> calling the group "None".  This is basically the equivalent of "Domain
> Users" for local accounts on machines not being domain controller.  A
> useful name would have been "Local Users" or "Machine Users", but,
> well, it is what it is.
>
> The safe way to check the SID is to fetch the machine SID attach the RID
> 513, and check for equality.

How can I get the "machine SID", preferably using /usr/bin/getent,
/usr/bin/getconf or /proc ?

----

Bye,
Roland
-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz@nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)


More information about the Cygwin mailing list