What is the key benefit of Microsoft Domain Security?
In a word,
, or SSO for short. To many, this is the Holy Grail of MS
Windows NT and beyond networking. SSO allows users in a well-designed network to log onto any workstation that
is a member of the domain that contains their user account (or in a domain that has an appropriate trust
relationship with the domain they are visiting) and they will be able to log onto the network and access
resources (shares, files, and printers) as if they are sitting at their home (personal) workstation. This is a
feature of the domain security protocols.
The benefits of domain security are available to those sites that deploy a Samba PDC. A domain provides a
unique network security identifier (SID). Domain user and group security identifiers are comprised of the
network SID plus a relative identifier (RID) that is unique to the account. User and group SIDs (the network
SID plus the RID) can be used to create access control lists (ACLs) attached to network resources to provide
organizational access control. UNIX systems recognize only local security identifiers.
A SID represents a security context. For example, every Windows machine has local accounts within the security
context of the local machine which has a unique SID. Every domain (NT4, ADS, Samba) contains accounts that
exist within the domain security context which is defined by the domain SID.
A domain member server will have a SID that differs from the domain SID. The domain member server can be
configured to regard all domain users as local users. It can also be configured to recognize domain users and
groups as non-local. SIDs are persistent. A typical domain of user SID looks like this:
Every account (user, group, machine, trust, etc.) is assigned a RID. This is done automatically as an account
is created. Samba produces the RID algorithmically. The UNIX operating system uses a separate name space for
user and group identifiers (the UID and GID) but Windows allocates the RID from a single name space. A Windows
user and a Windows group can not have the same RID. Just as the UNIX user
root has the
UID=0, the Windows Administrator has the well-known RID=500. The RID is catenated to the Windows domain SID,
so Administrator account for a domain that has the above SID will have the user SID
The result is that every account in the Windows networking world has a globally unique security identifier.