Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at
Wed Dec 29 21:40:33 GMT 1999

Luke Kenneth Casson Leighton wrote:

> why is that?  GOT IT!  ok.  why do you think that a Unix
> machine can only be in one NT domain?

Because it makes mapping the Domain SID database to a POSIX
uid/gid database much easier. To put a UNIX box in more than
one domain complicates that mapping immensely.

Simple is good.

> samba cannot create remoet unix users because it is a posix system.

> if we use winbind, we can create users in a SAM database, and because we
> control that SAM, the users in that SAM, when mapped to unix, can be
> considered to be your definition of "local" posix users, therefore because
> they are local POSIX uids (whatt you call "real" unix users), this is
> acceptable.
> is this a reasonable approximation of your understanding of "real" unix
> users, and how to create an NT world from a unix one?
> i really need to know.

Nope. You are not understanding me.

Consider a UNIX box running winbind to be *identical* to
an NT server in a domain.

Any users fetched from the PDC are "domain" users, and
the RID fetched from the PDC becomes the uid or gid.

Any users fetched from the /etc/passwd database are "local"
users and the admin must make sure these have values lower
than 1000 (so as not to collide with the RIDs from the 
PDC database).

If Samba needs to re-generate SIDs for ACL purposes in
this system then any uid/gid > 1000 gets mapped to
DOMAIN-PREFIX-<uid/gid>, and any uid/gid < 1000 gets
mapped to MACHINE-PREFIX-<uid/gid>.

This is *extremely* simple and is the "minimum neccessary
change" to allow UNIX to play *very well* in an NT
Domain environment.

No mapping tables needed.


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list