Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at
Tue Dec 28 21:24:32 GMT 1999

Luke Kenneth Casson Leighton wrote:
> > They create different SIDs because they are *DIFFERENT USERS*.
> if they are different users, then they should be in private/smbpasswd, not
> verified against the PDC.

No. Not true. We verify against the PDC as a convenience. The
real user list remains in /etc/passwd (or the nsswitch equivalent).

> this means that instead of the NT client going to the PDC to resolve the
> SID for a user (LsaLookupNames to the PDC) the NT client comes to us to
> resolve the SID (LsaLookupNames to the samba server).

Which is exactly what the need to do, as the SID they are
using is relative to the Samba server they have mounted,
and cannot be used anywhere else.

> my question is, therefore, what the heck are we thinking, and what was it
> again that we were smoking when we discussed this fifteen months ago,
> jeremy?

It is exactly the correct thing to do for file system users.

> additionally, i don't believe that samba 2.0.x can properly distinguish
> local users from remote users in SMBsesssetupX, at the moment (i think i
> only recently properly implemented this in SAMBA_TNG when i implemented
> get_any_dc_name(), i'll have to check).

It cannot distinguish them because POSIX doesn't distinguish them.


My God luke, how many times do I have to shout this ? Last time
I mentioned this you agreed with me. Why are you bringing this
erroneous assumption up again ?

> if this were to be implemented, how would we create ACLs to distinguish a
> local user login (SID of local user = S-1-5-localsmbpasswd) from a remote
> user login (SID of remote user = S-1-5-passwordserver=someserver with
> security=domain set), when the algorithmic function we are using can only
> deal with one SID?

We don't. Pure and simple. For the reason that a "remote login user"

> i've been doing nothing else for the past 5 days, pretty much.

But you keep bringing up the same issues ! I'm starting to think
it's not worth discussing this with you, you never seem to get it !

> NT doesn't authenticate users against the remote PDC's SAM and then
> generate ACLs for those users from its local SAM database, which is what
> is implemented _right now_ in 2.0.X with "security = domain".
> this is what i am objecting to, more than anything else, and it's all due
> to the use of the pdb_group_rid_to_gid() etc functions.

I will discuss any and all of this further with you, when
you tell me how to distinguish between a local and remote
uid_t or gid_t on POSIX.

Good luck.


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list