Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Luke Kenneth Casson Leighton lkcl at
Wed Dec 29 10:50:45 GMT 1999

> Wellll, in NT you have the concept of local users: RIDs relative to
> _host_ SIDs. A Samba server in security=domain mode is a domain member
> with a host SID assigned to it. The Samba server can only create new
> SIDs that are relative to its host SID. Mapping a uid/gid to a
> domain-relative SID would require that you make damn sure that the
> mapping is semantically correct. That's what you want to see done.

remember, creating a SID (and being responsible for it) is a different
task from mapping a SID to a uid.

you can only create SIDs for you own domain (local SAM or as a PDC)

you can map SIDs to uids for any chosen scheme that makes sense on a
network, as configured by an admin.

what all the fuss is about, i am fairly certain, is that these two things
are being confused.

i really need to get to the bottom of what it is that you, jeremy, think i
am thinking.  i'm clearly missing something, else you would be constantly
telling me what i already know [no remote POSIX users exist / can exist. i
even state this in the abstract - the first sentences! - on

> That's what I want as well, and I bet many others would like that too,
> because maintaining this *nix-and-NT-are-totally-different attitude is
> costly from a labor point of view.
> Until you can guarantee that equivalency between a given *nix domain's
> users/groups and a related NT domain you have to stick with Samba's
> current approach to uid/gid->sid mapping.

easier done than said.  trivially implemented.  i can code it up in about
two days.

> There's no need to argue here. Keep the current system, add support for
> externally provided mapoping solutions and you're set.

i would love to.  except that someone needs to convince jeremy that it#'s
possible and that it's ok to add it. 

More information about the samba-technical mailing list