Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at
Wed Dec 29 21:43:21 GMT 1999

Nicolas Williams wrote:

> The API I proposed is not an NSS API because there is no standard
> get*by*() Unix API that deals with SIDs. We had a long thread on the XAD
> list about how it would be nice if *nix kernels (and libc's) had a more
> generic credential interface. These topics are related :)

I agree the UNIX kernels need a more generic credential interface.

I'm not convinced that SIDs or copying NT is the right answer though.
That's where we differ. I want to look at the problem in isolation
from NT and try to solve it *right* rather than copying another
design (which has its own problems).

> The traditional Unix uid/gid system is inferior to the NT SID system.

I agree. I just am not convinced that adding SIDs to POSIX is the
right thing to do. The approach used by Kerberos or DCE may be better.
> How about something like this:
> #define POSIX_USER_CRED 1
> #define POSIX_GROUP_CRED 2
> struct posix_cred {
>         int type;
>         union guid {
>                 uid_t uid;
>                 gid_t gid;
>         }
> }
> int surs_sid2guid(surs_handle * handle, sid_t sid, posix_cred * pcred);
> The int result of the surs_sid2guid() function would be used to indicate
> success/failure+reason.

This looks fine for winbind. I just don't want it in Samba.


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list