Userids and permissions on a networked computer

[tom9876543]

Hello

As you know often a computer is connected to a network and managed by a domain controller.

What security information is stored on the local computer, what security information is stored on the network?

For example Microsoft Active Directory and an NTFS C drive.
The list of userids would be stored in AD.
What exactly is stored on the NTFS filesystem to show the userid is a networked AD userid?
Then there are groups as well (organisational units).
Then there are disk quotas. Is the quota stored on the hard drive or in AD????

The Linux equivalent would be LDAP and EXT2.
There would be a list of userids and groups in LDAP I presume.
How exactly are LDAP userids / groups recorded on the EXT2 filesystem?
I don't know if EXT2 supports quotas??

[Owen]

Windows and Unix take wildly differing approaches

Under Windows:

• Every user and group is assigned a unique SID. You often see these in the format S-1-2-3-4-5, where each number between the dashes is 32 bits
• Each machine has its own SID. These are often 3 component numbers - that is, S-1-2-3
• Each user/group on a machine is assigned an SID by appending a number to the machine's SID. This is just a convenient method of generating a unique SID: S-1-2-3-4
• Some special groups (such as Users and Administrators) are assigned special SIDs which are the same on all machines
• When a computer joins a domain, it permits the users from the domain controller to login to it
• NTFS stores SIDs with permissions

(Note that SIDs arent' truly unique: Often computers of a given model from a manufacturer will have the same SIDs for all machines. This doesn't matter as long as you don't use them as a domain controller)

Unix:

• Every user has an ID (UID). This is just a number
• Every group has an ID (GID). This is also just a number
• These can be the same on multiple machines - for example, UID 1 is always root (though not always named root)
• Unix machines which share authentication do this by connecting to a central server using LDAP or Kerberos. They use only the server's accounts, not any of their own. If they do have any local accounts defined in /etc/passwd, these are only minimal accounts for troubleshooting (For example, just root). It is possible to turn off use of /etc/passwd

In my opinion, it's gotta be said that Windows has the better model here.

Any quotas are an issue for the operating system (I.E. on Windows they're controlled by the relevant machine and controlled by Group Policy I would expect, on Unix they're a matter for whatever machine is the file server)

[tom9876543]

Thank you for the explanation.

If I have it right the file system stores ONLY numbers ( SID / UID / GID ) and it is up to the operating system to map users/groups to the numbers.

The number of users / groups is possibly infinite, so the size of access control list could theoretically be huge. I will have a look at how EXT2 filesystem stores the access control list.

[tom9876543]

Another question....

Say I plug an NTFS hard disk into a Linux computer.

The Linux computer will only see SIDs (numbers), it will NOT see logon ids (tom@domain). Do I have that right?

[ucosty]

Another question....

Say I plug an NTFS hard disk into a Linux computer.

The Linux computer will only see SIDs (numbers), it will NOT see logon ids (tom@domain). Do I have that right?

Correct. Same as if you plug that drive into a different windows machine.

[Owen]

ext2 just stores the owner UID/GID, and the standard Unix mode field (12 bits). I believe it also has an attribute system for storing more complex ACLs (i.e. the type SELinux uses)

NT ACls can be up to 64kb in size, and can be applied to a multitude of objects.