Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Nicolas Williams Nicolas.Williams at
Tue Dec 28 21:20:27 GMT 1999

On Wed, Dec 29, 1999 at 08:05:03AM +1100, Luke Kenneth Casson Leighton wrote:
> On Tue, 28 Dec 1999, Jeremy Allison wrote:
> > Luke Kenneth Casson Leighton wrote:
> > It cannot distinguish them because POSIX doesn't distinguish them.
> > 
> > 
> > My God luke, how many times do I have to shout this ? Last time
> > I mentioned this you agreed with me. Why are you bringing this
> > erroneous assumption up again ?
> because i understand that there are no remote users in posix.  i _do_
> agree with you.  i am not making any erroneous assumpions.
> what i am desperately trying to get you to appreciate is that we are
> making a really big mistake by mapping from remote SAM SID to real local
> POSIX uid and then to a different SAM SID.

Well, it's a little mistake. No security implications. It just looks
strange to the users.

Remember, the mapping of uids/gids->sids is there so that users can look
at and try to manipulate permissions on Unix files from their NT
clients. This requires that they be able to see a meaningful string in
the ACL editor on a Unix file; what they see now is fine: they see the
samba server's name, followed by '\' followed by the Unix user/groupname.

> think about this: why are we bothering to map uids to SIDS in ACLs,
> anyway, even with the 2.0.x scheme?  we can't do this, because, according
> to your own argument, the concept of "remote users" doesn't exist on a
> Unix system.  SIDs do not exist.  remote users do not exist.  therefore,
> we cannot even _create_ SIDs because they are meaningless to the Unix
> system that samba is implemented on.

Wellll, in NT you have the concept of local users: RIDs relative to
_host_ SIDs. A Samba server in security=domain mode is a domain member
with a host SID assigned to it. The Samba server can only create new
SIDs that are relative to its host SID. Mapping a uid/gid to a
domain-relative SID would require that you make damn sure that the
mapping is semantically correct. That's what you want to see done.

That's what I want as well, and I bet many others would like that too,
because maintaining this *nix-and-NT-are-totally-different attitude is
costly from a labor point of view.

Until you can guarantee that equivalency between a given *nix domain's
users/groups and a related NT domain you have to stick with Samba's
current approach to uid/gid->sid mapping.

There's no need to argue here. Keep the current system, add support for
externally provided mapoping solutions and you're set.


This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the samba-technical mailing list