Mapping of RIDs to uid_t and gid_t

[Luke Kenneth Casson Leighton]

On Sat, 4 Apr 1998, Jeremy Allison wrote:

> David Collier-Brown wrote:
> > 
> > 
> >         This block-allocation is very common at at least
> >         York University and several large commercial sites,
> >         so groups can cooperate on generating unique userids.
> >         This means that the high 4 bits can be taken (although
> >         most people avoid setting bit 31 (:-))
> > 
> >         Therefor ((uid+1000) & 28bits) may cause loss of
> >         significant digits. **May**!  It's probabilistic...
> 
> Yes I know - there's not much I can do about that though.
> I have to map the UNIX uid_t's into the 32 bit space somehow,
> and it has to be a static mapping as NT machines may cache
> the SID.

jeremy, by "cacheing the SID", do you mean "cacheing the domain SID
(S-1-5-21-0xNNNNNNNN-0xNNNNNNNN-0xNNNNNNNN) with the user or group RID",
which is the standard NT way to identify a user or group across the entire
internet?
 
> > 
> >         Are the group and machine ID's randomly distributed, or are
> >         they individually counted up from 0?  I'm having a half-baked
> >         thought (;-))
> > 
> 
> *Everything* - machine accounts, user accounts, groups
> etc. are mapped into the 32 bit RID space.

yep.  and the RIDs in this space must be unique, but they need not be
unique in the unix space (which is why both ID sets of information must be
associated in the same structure).
 
> Jean Francois Micouleau wrote :
> 
> > Do we really need one uid by machine ?
> 
> Yes we do. All machines must be able to be
> uniquely identified. It would help if the
> machine account was actually allocated in
> the unix /etc/passwd file but I don't want
> to require that.

yes it would, enormously, but we can make do with doing something
equivalent to "map username" or even using "map username" itself, as i
mentioned in an earlier posting. 

> Also, as Luke pointed out - the 'aliases'
> are actually local groups.

if the machine name is KNIGHT, then it is allocated its own SID.  let's
say "S-1-5-21-0x01-0x02-0x03".  if you do a "LsaLookupNames" on
S-1-5-21-0x01-0x02-0x03-547 i would expect this to return "Power Users".

if the domain name is DOMAIN, then it is also allocated its own SID.
say, "S-1-5-21-0x11-0x22-0x33".  if you do a "LsaLookupNames"  on
S-1-5-21-0x11-0x22-0x33-547, i would expect you to get a "not found"
response.

however, this really needs to be checked: it's only speculation.

 
> This leads to an interesting implementation
> possibility.
> 
> If the Samba PDC is set to be the NIS/NIS+ master,
> then the user/group account database available
> via YP becomes the Domain account database,

yep!

> and the local accounts on the local Samba
> servers within that domain become the local
> users and the aliases. Hmmmmm....

cool idea.  hmm indeed :-)