Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Samba HowTo Guide
Prev Home Next

Features and Benefits

What is the key benefit of Microsoft Domain Security?

In a word, single sign-on , or SSO for short. To many, this is the Holy Grail of MS Windows NT and beyond networking. SSO allows users in a well-designed network to log onto any workstation that is a member of the domain that contains their user account (or in a domain that has an appropriate trust relationship with the domain they are visiting) and they will be able to log onto the network and access resources (shares, files, and printers) as if they are sitting at their home (personal) workstation. This is a feature of the domain security protocols.

The benefits of domain security are available to those sites that deploy a Samba PDC. A domain provides a unique network security identifier (SID). Domain user and group security identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to the account. User and group SIDs (the network SID plus the RID) can be used to create access control lists (ACLs) attached to network resources to provide organizational access control. UNIX systems recognize only local security identifiers.

A SID represents a security context. For example, every Windows machine has local accounts within the security context of the local machine which has a unique SID. Every domain (NT4, ADS, Samba) contains accounts that exist within the domain security context which is defined by the domain SID.

A domain member server will have a SID that differs from the domain SID. The domain member server can be configured to regard all domain users as local users. It can also be configured to recognize domain users and groups as non-local. SIDs are persistent. A typical domain of user SID looks like this:

S-1-5-21-726309263-4128913605-1168186429

Every account (user, group, machine, trust, etc.) is assigned a RID. This is done automatically as an account is created. Samba produces the RID algorithmically. The UNIX operating system uses a separate name space for user and group identifiers (the UID and GID) but Windows allocates the RID from a single name space. A Windows user and a Windows group can not have the same RID. Just as the UNIX user root has the UID=0, the Windows Administrator has the well-known RID=500. The RID is catenated to the Windows domain SID, so Administrator account for a domain that has the above SID will have the user SID

S-1-5-21-726309263-4128913605-1168186429-500

The result is that every account in the Windows networking world has a globally unique security identifier.

Samba HowTo Guide
Prev Home Next

 
 
  Published under the terms fo the GNU General Public License Design by Interspire