Best way to determine a well-known SID?
in [Win32 API]
|
Prev: Flip screen application
Next: Resize bitmap
From: Jonathan de Boyne Pollard on 6 Feb 2010 21:23 > > > Are there any SIDs that are of the form S-1–x–y thar are not > well-known SIDs? > Yes, plenty. The 1 is the revision number of the SID structure.
From: Alexander Grigoriev on 7 Feb 2010 00:02 Um... Can you make an example of not-well-known SID with a single subauthority component (that's what the OP was asking)? "Jonathan de Boyne Pollard" <J.deBoynePollard-newsgroups(a)NTLWorld.COM> wrote in message news:IU.D20100207.T022408.P15330.Q0(a)J.de.Boyne.Pollard.localhost... > > >> >> Are there any SIDs that are of the form S-1-x-y thar are not well-known >> SIDs? >> > Yes, plenty. The 1 is the revision number of the SID structure. >
From: Jonathan de Boyne Pollard on 7 Feb 2010 14:16 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:OselyK7pKHA.5224(a)TK2MSFTNGP05.phx.gbl" type="cite"> <blockquote type="cite"> <blockquote type="cite"> <p>Are there any SIDs that are of the form S-1-x-y thar are not well-known SIDs?</p> </blockquote> <p>Yes, plenty. The 1 is the revision number of the SID structure.</p> </blockquote> <p>Um... Can you make an example of not-well-known SID with a single subauthority component (that's what the OP was asking)?</p> </blockquote> <p>That's your inference, and not in fact an implication in the original question. There's no occurrence of the word "subauthority" anywhere in xyr post. Indeed, M. Kuhr's recent purported paraphrase of xyr question actually includes <em>two</em> subauthorities in one of its examples, contradicting your inference. </p> <p>Even if one does incorporate your inference into the question, it's trivial to come up with examples, and you could have answered your own question with a moment's thought. There are, after all, tens of thousands of unused authorities and unused RIDs for exisiting authorities. You think that all SIDs with one RID are well-known? You tell us what S-1-2-45, S-1-1-32, and S-1-24-36 <em>are well-known as</em>, then. As I said, this is a trivial exercise, that you could easily have solved.</p> </body> </html>
From: Jonathan de Boyne Pollard on 7 Feb 2010 14:16 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:uKpWZG$pKHA.3748(a)TK2MSFTNGP02.phx.gbl" type="cite"> <p>let me rephrase my question: "Can I safely assume that well-known SIDs will always be exactly one of the two forms S-1–x or S-1–x–y or S-1–x–y-z?"</p> </blockquote> <p>That's not two forms. That's not a paraphrase. Nor is it what you want to know. You're <em>excluding</em> well-known SIDs in your program, so you should be asking whether any <em>non-</em>well-known SIDs match the trivial patterns that you want to use for pattern matching. The answer to that is, of course, "Yes.". There are tens of thousands of <em>non-</em>well-known SIDs that match your patterns. As I was just saying to M. Grigoriev, it is a trivial exercise to construct some, that doesn't require very much effort at all.</p> <p>And this is to presume that your letters stand for one RID each, a presumption that is on shaky ground because you seem to think that the "S-1-x-y-z" in your paraphrase matches the "S-1-x-y" in your original, which of course would only be true if, like Microsoft's documentation, you actually <em>do not</em> mean one RID per letter. (In some of the TechNet documentation, Y denotes the entire string of RIDs, however long it is.) In which case, as M. Mostert said, your patterns in fact match all SIDs currently in existence.<br> </p> </body> </html>
From: Stefan Kuhr on 7 Feb 2010 17:17 Jonathan, Jonathan de Boyne Pollard wrote: >> >> >> let me rephrase my question: "Can I safely assume that well-known SIDs >> will always be exactly one of the two forms S-1–x or S-1–x–y or >> S-1–x–y-z?" >> > That's not two forms. That's not a paraphrase. Nor is it what you want > to know. You're /excluding/ well-known SIDs in your program, so you > should be asking whether any /non-/well-known SIDs match the trivial > patterns that you want to use for pattern matching. The answer to that > is, of course, "Yes.". There are tens of thousands of /non-/well-known > SIDs that match your patterns. As I was just saying to M. Grigoriev, it > is a trivial exercise to construct some, that doesn't require very much > effort at all. > > And this is to presume that your letters stand for one RID each, a > presumption that is on shaky ground because you seem to think that the > "S-1-x-y-z" in your paraphrase matches the "S-1-x-y" in your original, > which of course would only be true if, like Microsoft's documentation, > you actually /do not/ mean one RID per letter. (In some of the TechNet > documentation, Y denotes the entire string of RIDs, however long it > is.) In which case, as M. Mostert said, your patterns in fact match all > SIDs currently in existence. > Thanks for your input. You are right. This vague idea of relying on those forms of SIDs was something that left me with a bad feeling in my stomach anyway, because it simply seemed too much of an assumption to me. So many thanks for clearing this up. Actually, my requirements are: If my code determines a SID, that actually is not a well-known SID, to be a well-known SID, it would work incorrectly. This could happen if I relied on a certain form of SID as you have explained. However, if my code would determine a SID, that actually *is* a well-known SID, not to be a well-known SID, the LDAP query that I would fire next against the DC would give me a meaningful error. So this would only have performance implications, but the behaviour of the program would still be correct. So I think I can stay with the table based approach and be safe. BTW: Why are you posting your answers to comp.os.ms-windows.programmer.win32 as well? I only asked on microsoft.public.win32.programmer.kernel. I am just curiuos. Thanks for your help, -- S
|
Pages: 1 Prev: Flip screen application Next: Resize bitmap |