Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Nicolas Williams Nicolas.Williams at
Wed Dec 29 16:39:12 GMT 1999

On Tue, Dec 28, 1999 at 03:53:59PM -0800, Jeremy Allison wrote:
> Nicolas Williams wrote:
> > 
> >  - Microsoft includes a NIS server with w2k that makes lookups via LDAP
> >    into ActiveDirectory. The account/principal/uid/sid/whatever
> >    information is all in one place.
> If that is so then they've already done the work for us.
> We're done :-).

Heh. You still need to map uids/gids to the domain-based SID to look
right. The current mapping system will work fine under all
circumstances, it's just that when you look at the ACL of a file on an
NT client you'll see a local user instead of the domain user that that
local user really is. The problem is cosmetic.

> >  - I work with a namespace management tool that is name service
> >    independent and scales very, very well to very large organizations
> >    and which can master NIS, DNS, LDAP, whatever namespace data. All in
> >    one place.
> Yeah, but I bet stock NT doesn't integrate with it though :-).

We'll see.

> > Or PAM_LDAP. Same thing. With win2000 you get an LDAP interface to
> > ActiveDirectory.
> No - PAM doesn't do user enumeration, just authentication.
> Enumeration is the nsswitch job.

Yes, I meant NSS_LDAP. I wrote PAM_LDAP. Sorry. BTW, Luke Howard has
written implementations of both.

> > Ok, yes. But we're not there yet. The namespace-management-tool-
> > layered-ontop-of-existing-name-services is workable today, at least for
> > me. Thus my interest in Luke's initiative.
> Yeah - but Luke wants to do it in the wrong piece of code
> (Samba). Note that all the other things you mention are
> programs external to Samba - I'd like to keep it that way.

Does he?

Here's what I suggest: have an API to lookup uid/gid<->SID mappings and
let _others_ provide modules to implement the lookups any way that they
want. Then you have no code to implement these lookups in Samba; these
external modules would just be shared libraries. This way you satisfy
Luke's wishes without adding complexity to Samba (i.e., the Samba Team
won't be asked to support SURS modules because they are not a part of

> Jeremy.


This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the samba-technical mailing list