Mapping of RIDs to uid_t and gid_t

Luke Kenneth Casson Leighton lkcl at switchboard.net
Mon Apr 6 15:37:27 GMT 1998


On Tue, 7 Apr 1998, David Collier-Brown wrote:

> I wrote:
> > 
> >         If true, we have two number lines like this where the x's
> > indicate unix uid's are (probabilistically) present
> > 
> > Uid     |xxxx  xxxxxxxxxxx  xx xx   |                     x   xx|
> >         +---------------------------+---------------------------+
> >         |     |     |                n-1                         n
> >         0    100  1000              2                           2
> > 
> > NT RID
> >         |                                                       |
> >         +---------------------------+---------------------------+
> >         |                            n-1                         n
> >         0                           2                           2


> > 
> >         If we fold the negative numbers down adjacent to the uids,
> > this only requires us to fold a smallish range plus four
> > bits of attributes into a quite large range.
> 
> Concrete proposal A:
> 	1) treat -1, -2 and any friends as special cases
> 	   and map them to 1, 2, ...          

dave, which domain is being mapped to which?  -1 unix uid being mapped to
1 nt RID?  if so, you cannot do this: the NT RIDs from 1 to 0x1ff i have
never seen used (anyone know what they are for?)

NT splits RIDs into ranges.  it would be useful to know exactly what those
ranges are.  anyone got any sources of info on this?


> Concrete proposal B:
> 	If and only if you don't need to know if the number
> 	represents user group or whatever, map groups into
> 	a range following the small negative numbers, and
> 	use 2**32 - n digits to represent 2*32 digits.  In
> 	this case n is (number of groups + number of negative
> 	uids).

i think that the purpose of jeremy / andrew's proposal was to come up with
a scheme that easily identifies an NT RID as a group or user RID, given
that both are in the same number space.

i think NT does something similar, and the numbers wrap around using some
of the lower bits to identify users from groups:

- jeremy / andrew propose top four bits to identify groups, users, trust
accounts and inter-domain-trusted users.

- NT uses, oh, i don't know, bits 10 and 11 to identify groups from users.

why do we need to identify inter-domain-trusted users by only the NT RID
(or are we), and why do we need to give them their own UNIX uid/gid? the
scheme suggested by jeremy/andrew implies that we are going to allow users
which actually should be identified fully by their own SID _plus_ their NT
RID access to another unix machine. 

hm.  this implies that the smbpasswd scheme might be a bit limited.  hm.
inter-domain-trusted users have their own SID+RID, which at present we do
not store anywhere.

hm.  i know i'm the one that brought the subject up, but can we leave this
one for now until more info is available, and just deal with a single
domain?

luke




More information about the samba-technical mailing list