Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Leslie M. Barstow III phoenix at
Wed Dec 29 06:39:55 GMT 1999

<INTRO>I had the pleasure of hearing Jeremy speak a couple of weeks ago at
the Denver SGI Linux U., and he talked about wanting an SMB nsswitch.  I
had indicated an interest in working on it, given some time to get a new
PC capable of compiling "Hello, World" in under an hour :-( - I have it,
and am still interested.</INTRO>

Having said that, the current discussion should be expanded just a little
to include an nsswitch module (winbind).  Nico's proposed API to Luke's
proposal is a good start on what winbind will need (although winbind will
then have to take the results and do NT resolution on it, and then
mangle the results a bit...).

Re: the local vs. remote user discussion, Luke is right.  According to NT,
these are different users, and we have to emulate the NT function, not
its POSIX non-equivalent.  Local or remote makes no difference. If you
have two local users named doej on the same system (don't ask, I've seen
it done - NT rules again ;^} ), they are still different, because they
have different SIDs.  Additionally, a user in DOM1 can be trusted in DOM2
(of which the Samba server is a member), and his RID can be the same as a
different user's RID in DOM2; the user should have different permissions
than his RID-lookalike in DOM2, so a RID-to-UID mapping is not possible.
So, the mapping *has* to be one-to-one reversible across the entire SID
mapping (wave goodbye to your UID pool...).

And I think that Samba *is* the place to do it.  Not all systems support
nsswitch, but Samba should be able to work without it.  Otherwise you get
greatly reduced compatability in Samba, and wind up having to maintain the
winbind code with Samba anyway... (And Samba doesn't need all of
the functionality of winbind, only the UID/GID<->SID map - full names
and shell aren't used, and an NT-shared home directory isn't something we
want to re-share :-)

Re: the sid2*() call:  I think the unified call proposed by Luke is more
appropriate than Nico's - you really can't tell in an ACL if the SID
refers to a group or to a user (or a machine).  Having to code two calls
is more of a pain for developers in the long run.


On to commentary on the SURS draft:

Consider that the database on the other end of getpw*() might be winbind.
Assuming that winbind uses SURS code, a recursion would then be set up if
SURS automatically went to getpw*() to resolve an unknown SID to a UID; a
good SURS implementation should therefore be able to act as an
authoritative source of UIDs if configured as such.  The Samba
implementation should also probably have an option to link into the
account creation/deletion hooks in Samba.

Leslie M. Barstow III  |
phoenix at   |    Linux and Apple][GS links:    computers/
PGP key at |    Fight junk e-mail abuse!:     computers/spam/
Wow!  It all fits.     |

More information about the samba-technical mailing list