Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at
Tue Dec 28 21:35:34 GMT 1999

Luke Kenneth Casson Leighton wrote:
> welll.... the LsaLookupNames calls end up coming to each indivcidual samba
> server to resolve ACL components, instead of to the PDC.
> i'm not sur that this is a security risk, but it's certainly not a good
> idea.

Why not ? The Samba server that issued the ACL is the only possible
source of SID -> name lookup information. 

> you can still grant remote users in completely foriegn domains (including
> workstations) the rights to use/view/rwxblahblah files through the
> security tab settings.

Yes. And if you do this the UNIX servers *MUST* refuse to set that
ACL and return an error as they cannot map such foreign SIDs to 

They can only map SIDs they have generated.

> again, with the current scheme (2.0.x), workstation SIDs are excluded from
> the mapping.

Good. It *has* to be so. These SIDs have no meaning on the Samba server.

Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list