[ros-dev] [ros-diffs] [ekohl] 57517: [LSASRV] Implement lookup of accounts in the account domain of the SAM database. The advapi32 security winetest shows proper domain and account names for the administrator and guest ...

[Eric Kohl]

Hi Alex,

IMO RtlEqualPrefixSid has been designed (by Micrsoft) in a very 
short-sighted way because the number of sub-authorities must be the same 
for both SIDs.

Quote from 
http://msdn.microsoft.com/en-us/library/windows/hardware/ff552256%28v=vs.85%29.aspx 
(Remarks section):
It is advisable to modify the SID for a domain before comparing it with 
a group or user SID. If the SID for RemoteDomain is S-1-1234-8, each 
group or user SID for that domain will have S-1-1234-8 as its prefix. To 
compare the SIDs by using RtlEqualPrefixSid, the caller copies the 
domain SID and adds any subauthority relative identifier value to the 
copy, thereby creating an SID in the form S-1-1234-8-0. (The relative 
identifier, or RID, is the portion of a SID that identifies a user or 
group in relation to the authority that issued the SID.) The caller then 
uses the modified domain SID as a template against which the group and 
user SIDs are compared.

My comment: BULLSHIT!

My implementation, which is BTW based on your implementation, handles 
shorter prefix SIDs. Comparing S-1-5-5 and S-1-5-5-xx-yy works without 
the need to extend the prefix sid.

That is the reason why I am using LsapIsPrefixSid instead of 
RtlEqualPrefixSid.

Regards,
Eric

Am 07.10.2012 21:47, schrieb Alex Ionescu:
> Eric, with my rewrite, you can call RtlEqualPrefixSid instead of using
> LsapIsPrefixSid. The code should be the same
>
> Best regards,
> Alex Ionescu
>
>
> On Sun, Oct 7, 2012 at 7:33 PM, <ekohl at svn.reactos.org
> <mailto:ekohl at svn.reactos.org>> wrote:
>
>     LsapIsPrefixSid
>
>
>
>
> _______________________________________________
> Ros-dev mailing list
> Ros-dev at reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev