Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Jeremy Allison jeremy at
Wed Dec 29 21:56:31 GMT 1999

Luke Kenneth Casson Leighton wrote:
> 2) when _any_ SID comes in, the same rid-uid function is used.  any SIDS
> that do not match the SAM SID at the front are REJECTED.
> the rejection bit is what i object to about this algorithm.

That's where we differ. We can only allow this if we have a
mapping table. You want one. I don't. That's the core of
this argument.

> if a SURS table existed, (db implementation) we could map, say,
> SAMBASERVERDOMAIN\user1 to uid500, and DOMAIN2\user1 to uid501, and
> DOMAIN3\user1 to uid502, where uid500 has a unix pw entry name of user1,
> uid501 has D"user1 and 502 has D3user2.  slightly painful, but not as
> stupidly limiting as thininkg that i think remote users exist on POSIX!

And what happens when these account databases get (separately)
updated. If people forget to update the mapping table you
are *hosed*. Admins will burn you in effigy for designing

I can't imagine *any* admin saying, "oh yes, that's just
what we need - *ANOTHER* account database (which is what
a mapping table is) to keep in sync with all the others 
we have. Mmmm, yes. That'll make our jobs *much* easier..."




Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list