What does an alias group means in SID context?

Reading https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html, I found out that there exists an alias for groups. But what does this alias mean? Does it means that it is connected to another group and inherit this permissions? If so, how could I found out what group it belongs to?

I looked on the internet but could not find anything about this. There is a lot about SID, RID on the internet, but nothing about aliases. What does it mean in a SID context?

SIDs exist in Active Directory domains (Windows Server) and Samba (PDC).


Solution 1:

Microsoft documented most of the internals of this in [MS-SAMR].

Here are some definitions from that document:

account: A user (including machine account), group, or alias object. Also a synonym for security principal or principal.

alias: An alternate name that can be used to reference an object or element.

alias object: See resource group.

resource group: A group object whose membership is added to the authorization context only if the server receiving the context is a member of the same domain as the resource group.

The object-based perspective shows that the protocol exposes five main object abstractions: a server object, a domain object, a group object, an alias object (an "alias" being a type of group), and a user object.

In the context of Active Directory, this is a Domain-Local (Or a Builtin-Local) Group. Domain-Local Groups have a sAMAccountType value of SAM_ALIAS_OBJECT. (sAMAccountType enumeration)

Here is a document on group scope, which explains that Domain-Local groups can only be assigned permissions on resources within the same domain, which jives with the aforementioned definition of a "resource group." Why they chose the word "alias," the world may never know.