[Samba] SIDs and UIDs and RIDs - Oh My!
John H Terpstra
jht at Samba.Org
Sun Aug 14 00:47:46 GMT 2005
OK - I'll bite!
Clearly you have read the documentation I have written and find it deficient.
That's OK! Now, will you help me to fix the deficiency please?
I need your help to make the documentation more useful.
Below is my side of this challenge you have issued. Please help me over my
myopia.
On Saturday 13 August 2005 18:00, Moondance Foxmarnick wrote:
> I'm trying to grasp pg. 154 of the "Official SAMBA-3" book by Terpstra and
> Vernooij and I'm just missing a critical networking concept.
Good. Let's fix this now.
I presume that we are talking about the current version of this book. Right?
Here's the URL:
http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
If this is NOT the version you checked, please let me know precisely the URL
from which you obtained this and the creation date so I can refer to the same
document as you have.
> I understand that SIDs are the numerical identification of a user for the
> Windows world.
Correct. I checked the index for RID. The first reference is in section 4.1
(page 46 in my build) where it says:
<quote>
A domain provides a unique network security identifier (SID). Domain user and
group security identifiers are comprised of the network SID plus a relative
identifier (RID) that is unique to the account. User and group SIDs (the
network SID plus the RID) can be used to create access control lists (ACLs)
attached to network resources to provide organizational access control. UNIX
systems recognize only local security identifiers.
</quote>
So from this it might be interpreted that each Windows account has a unique
RID, just as a UNIX user has a unique UID. Every Windows machine and every
Windows security domain has a unique SID. A user SID is made up of the
machine or domain SID and is catenated with a RID.
If that is not your interpretation please help me to understand the source of
confusion in the quoted section.
> I understand that UIDs are the equivalent for the *nix world.
A user account that has been created on a Windows workstation will have a
locally assigned RID. If an account is created in a Windows NT4 or Active
Directory Domain it will be allocated a unique RID within that security
context.
> But what the @$@! is a Relative IDentifier (RID)?!?
A RID is like a UID or a GID. Where UNIX has separate IDs for users and
groups, Windows has just one - the RID.
But the workstation referred to above has its SID. Every Windows workstation
has a unique SID. Every Windows NT4 or ADS domain has a SID also.
A user SID is made up of the SID of the security context within which it is
created plus the RID.
A SID looks like this:
S-1-5-21-11009899-23411980-22115678
If the user RID within the context of that SID has the value 879, then the
user SID will be:
S-1-5-21-11009899-23411980-22115678-879
>
> On page 153 the command to map a windows group to a *nix group - no mention
> of RIDs.
Sorry. I really goofed on that didn't I!
> Then on 154 it is stressed that under no circumstances should your *nix
> groups or users trod on window's assigned RIDs for Domain Admins, Domian
> Users, et. all. Another example of groupmap - oh look it lists a RID?
Please explain. What is your point now?
> No mention as to where a RID comes from or can be viewed.
Really? I believe that is was in fact covered in section 4.1 - but if that is
not good enough please give me suggested text and a place you would like to
see it located within the document (by section number please - not by page
number).
> Do they mean that I can't have a user in Fedora that is 500?
Sheesh! Really not clear is it! UIDs are mapped to RIDs.
Since Windows allocates RIDs sequentially for users, groups and for trust
accounts we have to provide a way of mapping all UNIX users to a RID that is
absolutely unique. So Samba does algorithmic mapping. The RIDs are calculated
like this:
User_RID = UID * 2 + 1000
Group_RID = GID * 2 + 1001
That means that a UID of 500 will produce a RID of 2000.
> Isn't that a UID?
No! I think I have clarified that.
> Is a UID a RID?
No. A UID is a UNIX identifier. A RID is a Windows identifier. Samba provides
means to map them, but you can override the algorithmic mapping using the
pdbedit and the net utilities. If you do override the mapping, just make sure
you get no overlap between Windows user and group RIDs.
> I've used Fedora for a year now and have never typed a RID modifying
> command.
That is not a crime. No penalty is due. Most admins never need to mess with
RIDs. If you follow the guidelines I documented you should not ever need to
mess with the RIDs. That's the whole point of following standardized
procedures as shown in the documentation.
>
> I'm sure this is just so basic. But I don't know it and can't find it and
> it's critical to understand it.
Right. Now that I have explained it, is this any clearer? If it is, please
help me by rewriting or ammending the documentation to remove the confusion.
When can I expect your patch, documentation update submission or a detailed
bug report on https://bugzilla.samba.org to help get this straightened out?
- John T.
More information about the samba
mailing list