Stable SIDs for "None"+'"Administrator" ?

[Christian Franke]

Roland Mainz via Cygwin wrote:
> On Sat, Nov 9, 2024 at 6:00 PM Corinna Vinschen via Cygwin
> <cygwin@cygwin.com> wrote:
>> On Nov  9 17:31, Roland Mainz via Cygwin wrote:
>>> Does anyone know a list of SIDs which can be used to get the
>>> user+group accounts for passwd entry "Adminstrator" and group entry
>>> "None" ?
>>>
>>> Our problem is that the actual account names vary with the system
>>> locale, e.g. group entry "None" is "Kein" in "de_DE",  "Aucun" in
>>> fr_FR etc. ...
>>> ... so far we thought we fixed this by doing a lookup via SID, and
>>> then remembering the localised name.
>>>
>>> But: The SIDs are apparently not stable between Windows versions.
>>> For example:
>>> ---- snip ----
>>> # Windows Server 2022/en
>>> $ getent group None
>>> None:S-1-5-21-168624908-967194555-3343779530-513:197121:
>>> # Windows Server 2019
>>> $ getent group None
>>> None:S-1-5-21-3286904461-661230000-4220857270-513:197121
>>> ---- snip ----
>> They *are* stable in that they are
>>
>>    ${Machine-SID}-513
>>
>>> And if there is no such list, would $ mkgroup | egrep
>>> ':S-1-5-21-.+-513:' # be a suitable workaround ?
>> No.
>>
>>    ${AD-SID|-513 == "Domain Users"
>>
>> I have not the faintest idea what the MS guys were thinking at the time,
>> calling the group "None".  This is basically the equivalent of "Domain
>> Users" for local accounts on machines not being domain controller.  A
>> useful name would have been "Local Users" or "Machine Users", but,
>> well, it is what it is.
>>
>> The safe way to check the SID is to fetch the machine SID attach the RID
>> 513, and check for equality.
> How can I get the "machine SID", preferably using /usr/bin/getent,
> /usr/bin/getconf or /proc ?

If domain info is excluded from mkgroup output, the one and only S-*-513 
group should contain the machine SID:

$ sid=$(mkgroup -l | sed -n 's/[^:]*:\(S-[-0-9]*\)-513:.*$/\1/p')

$ test $(wc -l <<<"$sid") = 1 || echo 'My assumption was wrong :-)'

-- 
Regards,
Christian