Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Leslie M. Barstow III phoenix at
Thu Dec 30 07:12:55 GMT 1999

On Thu, 30 Dec 1999, Jeremy Allison wrote:
> Luke Kenneth Casson Leighton wrote:

> > why is that?  GOT IT!  ok.  why do you think that a Unix
> > machine can only be in one NT domain?

> Because it makes mapping the Domain SID database to a POSIX
> uid/gid database much easier. To put a UNIX box in more than
> one domain complicates that mapping immensely.

> Simple is good.

Simple is not realistic in this case, though.
The last couple of jobs I've worked at both used multiple
domains - people using a server could be from any of them.

> Consider a UNIX box running winbind to be *identical* to
> an NT server in a domain.

It has to be.  That means it has to support the concept of
multiple Domains.  That means a simple RID<->uid/gid
translation is just not possible - different NT domains
will use the same RID for different purposes.  And that
means Winbind needs a table, not just an algorithm - it
needs a memory so it knows to renumber conflicting RIDs
from different domains.

BTW - here's a dumb question (kind of related via winbind)
      is there an 8-character limitation to the getpwnam()
      implementation?  IIRC, at least the passwd file has
      this limit (in Linux).

Leslie M. Barstow III  |
phoenix at   |    Linux and Apple][GS links:    computers/
PGP key at |    Fight junk e-mail abuse!:     computers/spam/
Wow!  It all fits.     |

More information about the samba-technical mailing list