Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at
Wed Dec 29 21:52:30 GMT 1999

Luke Kenneth Casson Leighton wrote:
> > If someone updates the NT account db, or the
> > UNIX one, without editing this mapping file, the admin is
> > hosed.
> adding to the NT account db or the Unix one is fine.

No it isn't, because then the assumptions you have made
(that the admin is all powerful and never makes mistakes)
is *wrong*, and their system will be screwed.

> as outlined in the opening paragraphs of the auto-population section,
> which is why i propose auto-pop.

How do you fix drift. Your solution doesn't address this at

> ummm... not quite :)  you still need to choose a local POSIX uid/gid (i
> take it you're talking about appliance mode, here), so you _still_ need a
> SURS table.

No - you need a SURS *algorithm*, not a table. Tables get
messed up and drift.

> weelll... it only has to be _+presented_ in NT-format, and the external
> presentation is MSRPC, and we already have a 99% complete implemtation of
> \PIPE\samr, so that's no problem: all we need now is a comprehensive
> password db api im,plementation.

Yes. That's called winbind.

> > as MS don't release enough information to replace the
> > authentication and authorization code on NT. On UNIX
> > however, we have PAM (for replacable authentication)
> > and nsswitch (for replacable authorization - ie. enumerating
> > user and group lists).
> i know enough about NT stuff to know what to do

Then I (and millions of NT users around the world) wish
you would do it :-).

> ok.  again, exactly the same problem applies to winbind as it does in
> samba.
> someone needs to make the decision about how to _create_ SIDs, and someone
> else needs to make the decision about how to map SIDs to uids/gids.
> the synthesis you describe above is one possible implementation.  that
> implementation sufferws from exactly the same limitations that samba 2.0.x
> has, because you are confusing (i think) the role of SID creation with
> SID/uid mapping in exactly the same way for both samba 2.0.x and winbind.

It is one solution for winbind. Whoever writes the code gets to chose :-).

> oh no.  you thinjk that by creating winbind, we can optimise uids/gids /
> RID lookups?
> no.  please.  if you start thinking that's acceptable, you're _really_
> going to mess this up and continue to argue with me about this.

Yes, it is acceptible. Yes, I do think this. This is why
we're still arguing :-).


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list