Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Leslie M. Barstow III phoenix at
Thu Dec 30 20:16:04 GMT 1999

On Thu, 30 Dec 1999, Jeremy Allison wrote:
> "Leslie M. Barstow III" wrote:

> > Simple is not realistic in this case, though.
> > The last couple of jobs I've worked at both used multiple
> > domains - people using a server could be from any of them.

> But that doesn't actually matter to the Samba server at all.
> So long as it authenticates to the correct DC then the
> user will be mapped into a user with the same name on the
> UNIX box (ignoring name mapping for the present).

We can't ignore name mapping (in terms of duplicate names at
lease) - it's legitimate under NT, so we have to consider it.

> > > Consider a UNIX box running winbind to be *identical* to
> > > an NT server in a domain.

> > It has to be.  That means it has to support the concept of
> > multiple Domains.

> Why ? An NT member server doesn't.

If you want Samba to use it it does.  A user from a different
domain can be given access to shared resources.  That access
is granted via the user's SID - which has a *DIFFERENT* domain
root than the server, even if the username is the same.

And under Windows 2000, you can sign in to other domains just
by throwing an @other.domain after your username. 

> > That means a simple RID<->uid/gid
> > translation is just not possible - different NT domains
> > will use the same RID for different purposes.  And that
> > means Winbind needs a table, not just an algorithm - it
> > needs a memory so it knows to renumber conflicting RIDs
> > from different domains.

> winbind only queries the DC for *one* domain, the domain
> the UNIX box is in. It doesn't need to deal with other domain sids.

See the above two examples.

Your quest to keep it simple works under most (controlled)
circumstances, but I've been around too long to believe companies
actually work that way.

Leslie M. Barstow III  |
phoenix at   |    Linux and Apple][GS links:    computers/
PGP key at |    Fight junk e-mail abuse!:     computers/spam/
Wow!  It all fits.     |

More information about the samba-technical mailing list