As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :)
Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: [email protected] Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now.... Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo->MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2] [2] [2] [3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named "tokensz.exe" and run something like - C:\>tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: [email protected] Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 <http://support.microsoft.com/?kbid=327825> start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
