Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Luke Kenneth Casson Leighton lkcl at
Thu Dec 30 05:46:01 GMT 1999

... and here's the unfinished one about how to use SURS tables in
pam_ntdom, pam_smb, and winbind:


been thinking a bit more about the various programs, winbind, pam_ntdom
and pam_smb.  i thought i'd describe how i think these should be using
SURS tables.

pam_ntdom and pam_smb:

user auth request comes in: DOMAINNAME\username clear-text password

resolve domainname to servername (PDC).  authenticate user using NETLOGON
(pam_ntdom) or SMBsesssetupX (pam_smb).  if this fails, authentication
request fails.

NetrSamLogon returns a SID in the user's profile. proceed to next step.

SMBsesssetupX does not, therefore an LsaLookupNames(DOMAINNAME\username)
call must be issued to obtain the SID.  if this fails, the authentication
request fails.

SID is looked up in SURS table to obtain uid.  if this fails, 
the authentication request fails.

getpwuid(uid) is called to obtain Unix user name.  if this fails,
the authentication request fails.

pam creds are modified to substitute real unix user name with the "unreal"
DOMAINNAME\username that came in on the original request.  you now have
successfully authenticated an "unreal" NT user of ANY domain to a "real"
unix user.


this one is a little bit more tricky, conceptually.  essentially, it
all boils down to what we allow to be "real" unix users.  microsoft's
POSIX / SID mapping algorithm gives us a clue as to what is possible.
if you think that microsoft's algorithm is not possible, think again.
it's nasty, it has limitations, and it's definitely possible. see
draft-lkcl-sidtouidmap-00.txt, section 6.2.

i repeat: if you think it's not possible, think again.  using winbind we
CONTROL the uid space and therefore DEFINE what users are real, just as
microsoft controls the uid space with their POSIX / SID mapping algorithm.

following microsoft's lead, i CHOOSE to define "real" winbind-based users
to be:

- the users in the local SAM database named "MYSAM"

- the users in the local SAM database named "BUILTIN"

- the users in any trusted SAM database

- the users on any local Workstation SAMs in use on our network.

yes, kiss goodbye to your uid space, so this is going to have to be
REALLY carefully regulated.

More information about the samba-technical mailing list