Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Wed Dec 29 20:55:36 GMT 1999

On Wed, Dec 29, 1999 at 01:43:21PM -0800, Jeremy Allison wrote:
> Nicolas Williams wrote:
> 
> > The API I proposed is not an NSS API because there is no standard
> > get*by*() Unix API that deals with SIDs. We had a long thread on the XAD
> > list about how it would be nice if *nix kernels (and libc's) had a more
> > generic credential interface. These topics are related :)
> 
> I agree the UNIX kernels need a more generic credential interface.
> 
> I'm not convinced that SIDs or copying NT is the right answer though.
> That's where we differ. I want to look at the problem in isolation
> from NT and try to solve it *right* rather than copying another
> design (which has its own problems).

Yes.

> > The traditional Unix uid/gid system is inferior to the NT SID system.
> 
> I agree. I just am not convinced that adding SIDs to POSIX is the
> right thing to do. The approach used by Kerberos or DCE may be better.

?

Kerberos has no uid/sid like concept. Kerberos only has names
(principals) and domains (realms).

Let's just say that the main benefit of SIDs is that they provide some
hierarchy where uids provide none.

> > How about something like this:
> > 
> > #define POSIX_USER_CRED 1
> > #define POSIX_GROUP_CRED 2
> > struct posix_cred {
> >         int type;
> >         union guid {
> >                 uid_t uid;
> >                 gid_t gid;
> >         }
> > }
> > 
> > int surs_sid2guid(surs_handle * handle, sid_t sid, posix_cred * pcred);
> > 
> > The int result of the surs_sid2guid() function would be used to indicate
> > success/failure+reason.
> 
> This looks fine for winbind. I just don't want it in Samba.

The idea is to make Samba use that API and for some external agent to
provide it.

If you agree with that then the argument is over. Luke can code in
support for this API and someone else can code the API provider, outside
the scope of Samba.

> Jeremy.

Nico

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.