Security Identifier (SID) to User Identifier (uid) ResolutionSystem

Luke Kenneth Casson Leighton lkcl at
Thu Dec 30 20:32:21 GMT 1999

On Thu, 30 Dec 1999, Jeremy Allison wrote:

> Luke Kenneth Casson Leighton wrote:
> > 
> > a reminder: how do you distinguish between uids in a local /etc/passwd
> > and a remote NIS db, when the implementation of getpwnam() / getpwuid()
> > or equivalents is designed to hide exactly that from users?
> You don't. That is the whole point of the POSIX scheme.

exactly.  you wanted an answer to this question, and i gave you a
potential scheme to be able to do it.  you didn't explain _why_ you wanted
to distinguish betrween the two!
> > scheme 1 is as i first answered: you have two SURS tables.  one is
> > maintained manually by the administrator [the administrator also
> > maintains the /etc/passwd entries, so why not add the extra burden
> > of maintaining a SURS table, too? :]
> Because it is an *extra* account databases.

it's a SURS table, not an accounts database.  it maps _between_ the unix
and NT worlds, ait is not _of_ the uniox or NT worlds.

> Remember George Orwell,
> 1 account db good,
> 2 account db's bad...
> :-).

> > DOMAIN1\Administrator=root
> > DOMAIN1\Support%2=is%2
> > DOMAIN1\%1 = %1
> > DOMAIN1\* = guest1
> > DOMAIN1\* = guest2
> > DOMAIN1\* = guest3
> > DOMAIN2\Guest = guest4
> > DOMAIN3\Guest = guest5
> > DOMAIN3\Administrator = d3root
> > DOMAIN3\%3 = d3%3
> This is *hideous* (and completely opaque). I can't believe you're
> seriously suggesting such a file. Why not go the whole hog and define
> it as a perl or awk program !

hmm.... that would do.  whatever it is, it doesn't matter.  it should be
able to map NT names to unix names in as compact a fashion as possible.
NT name of form DOMAIN\ntuser, unix nmame unixuser.

> > please think REALLY hard about why i might think that this is an
> > unnecessary restriction.  please LOOK at the example unix password
> > database i created, which has users d3root, d3doej and d3fred as REAL,
> > LOCAL unix users - NOT remote users, because as i keep telling you i KNOW
> > posix doesn't support the concept remote users, so i created three LOCAL
> > ones instead!
> This is where we disagree. However, I do agree that having
> a .so mechanism is a good idea so that you can write whatever monstrosity
> you want to map users and load it into Samba :-).
> Just distribute it as an add-on package, that's all I ask :-).


will do.

More information about the samba-technical mailing list