Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Nicolas Williams Nicolas.Williams at wdr.com
Wed Dec 29 21:27:52 GMT 1999 

On Wed, Dec 29, 1999 at 02:15:48PM -0800, Jeremy Allison wrote:
> Nicolas Williams wrote:
> > 
> > On Wed, Dec 29, 1999 at 01:59:42PM -0800, Jeremy Allison wrote:
> > > Nicolas Williams wrote:
> > >
> > > > Kerberos has no uid/sid like concept. Kerberos only has names
> > > > (principals) and domains (realms).
> > >
> > > *Precisely*. Kerberos and DCE use a name based mapping, not
> > > a number based one.
> > 
> > So you think filesystems should use strings instead of integers to
> > represent users and groups in file ACLs? Uids, gids, sids, they're all
> > optimisations.
> 
> No, I didn't mean filesystems. I was talking about mapping
> names into security contexts. NT SIDs are one way of doing that,
> Kerberos/DCE is another (although they're converging in Win2k :-).
> 
> > I'm confused. Samba is the fileserver, Samba has to convert uids/gids to
> > SIDs to emulate NT ACLs to SMB clients. So Samba needs to be able to
> > convert uids/gids to SIDs at least. The reverse is not necessary unless
> > you want to support clients adding/removing users/groups from Unix
> > files' ACLs (where Unix supports ACLs).
> 
> Yes, ok. I wasn't clear here. Samba does have to do this, but I'm
> trying to avoid implementing a very complex mapping function to 
> to this, and leave it very simple.
> 
> > Now, I agree that if the only thing Samba needs to do is convert
> > uids/gids to SIDs then using the fileserver's host SID as the base SID
> > and algorythmically converting uids/gids to RIDs of that SID works
> > fine.
> 
> Hurrah, we agree :-).
> 
> Jeremy.

Ay. I should clarify what I'm thinking here:

 - I agree that the current uid/gid->RID-of-local-SID algorythmic
   mapping works fine as it is.

 - I agree that letting Samba optionally use an API to an external SURS
   database would be fine (this represents very little extra code in
   Samba). Samba wouldn't have to implement any complex mapping
   function: it would let an external library do whatever it is that it
   does.

Also, some organizations do have the tools needed to keep Unix and NT
user/group databases in sync. I've said that before. For those who do
have these tools having Samba + SURS tables would be nice, but the
difference is cosmetic (as I've said before).

I've found a way to agree with both you and Luke (not that I'm the
pragmatic type). You dispelled my concern about Samba and multiple
domains in another e-mail, so my interest in SURS goes back to being
mild.

Nico

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the samba-technical mailing list