Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Leslie M. Barstow III phoenix at
Thu Dec 30 07:56:15 GMT 1999

I think we're not as far out of agreement here as it looks:

* tables vs. algorithms: Samba can generate outgoing (PDC) SIDs by
  algorithm.  Inbound, it currently uses usernames.  This *could* be
  strengthened with the Domain authentication code returning a SID -
  different users with the same username on different domains could
  confuse this, as could re-using names on the same domain.  A table-based
  solution would ensure we got the right one.

  (note: this scenario shows poor advance planning, but sometimes that's
   the only planning you get - departments and companies merge...)

* table code: doesn't need to be maintained in Samba; it can be a seperate
  library.  Personally, I think it could go into libsmb without being
  much of a maintenance drain, but it's not necessary.

* winbind: Samba *could* use winbind to do it's uid resolution, but
  needs to pass a full "user at domain" name to ensure proper identification.
  I'm not sure all systems' getpwnam() functions are up to handling long
  names, though.  Also, this does not lock out name re-use, and NT
  encourages it by doing all authentication based on SID (not
  name) - Samba has the right info, Winbind wouldn't.  Also, Winbind
  should be using a table lookup to prevent confusion in complex

* SURS table maintenance: Jeremy has a good point here.  It needs to be
  updated reliably by programs accessing this interface (the api itself
  does not show a need for accessing NT to validate these items - it
  only stores the information.  Another program would seem to be
  responsible for maintaining the table.

* A real solution: Is going to be a long time coming.  PAM offers the
  ability to set tickets, and XFS can set arbitrary attribute fields,
  but the rest of the system calls and compatability just aren't there.

Leslie M. Barstow III  |
phoenix at   |    Linux and Apple][GS links:    computers/
PGP key at |    Fight junk e-mail abuse!:     computers/spam/
Wow!  It all fits.     |

More information about the samba-technical mailing list