Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at
Thu Dec 23 20:34:37 GMT 1999

Steve Langasek wrote:
> >Secondly, the SID S-1-1 represents the concept in the NT Security Model
> >of "Everyone", and should explicitly be mapped to the Unix "other" concept.
> If I understand correctly the NT idea of 'everyone', then this is not an exact
> mapping.
> In Unix, if a file (or directory) has permissions of rwx---r-x and is owned by
> user foo/group bar, then user foo has full access to the file, group bar has
> *NO* access to the file, and everyone else has read/execute permissions.

The current version of mapping UNIX perms to NT ACLs in Samba 2.0.x
reproduces these semantics correctly.

> When you say 'Everyone', do you literally mean that these permissions are
> available to anyone who tries to access the file, even if there is another
> ACE present which applies to them?  Or is S-1-1 only looked at if no other
> ACE's match?  If the first case is true, then the mapping becomes more
> complex.

Nope, the second case is true. NT ACLs are processed
in order, and Samba always returns them in the user/group/world


	Jeremy Allison,
	Samba Team.

Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list