Yeah this is actually fairly trivial, you just avoid AllocateAndInitializeSid and use GetSidLengthRequired, InitializeSid, and GetSidSubAuthority and you can pretty quickly make up a function to handle up to the max. I recall the first time I saw the function and was confused why AllocateAndInitializeSid was set up that way because it would have been quite easy, probably actually easier, to have specified a subauthority count and array of subauthorities to submit to the API.
In order to properly blow our foot off, we would need to completely manually build the SID structure and exceed 15 subauthorities. Interestly enough or I guess the point where our foot would disappear in a mangled mess would be when the SID structure would get chopped to 15 (or less depending on what was written to the subauth count field) whenever it got passed to anything that used the actual proper mechanisms. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 10:42 PM To: [email protected] Subject: RE: [ActiveDir] User SIDs... :o) Right, Joe! They don't come from us, as far as I can tell. If you look at the function AllocateAndInitializeSid(), it is hard coded to 8 sub-authorities. However, the customer in question from the 68 bytes max defined his own function with base level calls and worked around the 8 sub-auths by defining a variable that would accept however many he wanted to input. Bottomline: WE might give you the instructions on how to blow your foot off, but generally you are expected to supply your own ammo and finger to pull the trigger. :o) Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 19, 2005 1:22 PM To: [email protected] Subject: RE: [ActiveDir] User SIDs... A SID of 68 bytes would have the 15 RIDs, which is as far as I can tell the highest number of RIDs a SID can hold. There is only 1 byte reserved in the first 8 bytes of a the SID structure to store the number of RIDs, so that is basically 15 (since 0 RIDs doesn't do much for you). Where do these giant SIDs come from? Most AD SIDs I've seen are 24 or 28 bytes (4 or 5 RIDs respectively). Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: [email protected] Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: [email protected] Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 <http://support.microsoft.com/?kbid=327825> start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
