Security Identifier (SID) to User Identifier (uid) Resolution
Luke Kenneth Casson Leighton
lkcl at samba.org
Wed Jan 5 01:13:12 GMT 2000
> Well, I said what I did under the assumption that there would be no
> mapping from -2 back to any SID (i.e. the mapping function would fail).
the mapping from SID to unknowwn uid MUST fail. the mapping from uid to
unknown SID MUST fail.
> The only reason for mapping to nobody is that it has to map to
> SOMETHING as far as POSIX is concerned. If you stat() such an object, and
> you simply have no mapping for it's SID to fill out the st_uid field with,
> it's basically a choice of either root or nobody. Nobody really does mean
> nobody, so it really oughtn't map back to an SID at all.
what's wrong with failing the stat(), or other file operation if the
mapping function (either way) fails?
> I don't think creating a mapping on-the-fly is appropriate in the
> kernel, because that's heavily a policy decision (i.e. some range of uids
> must be allocated, etcetera). Now, the one sticky bit (no pun) is what you
> do if you have a whole slew of SIDs on the disk that aren't otherwise
> already known to your system -- I don't know quite what do do about that
> case. I'd tend to think you'd have a similar situation on an NT box,
yep. those are "deleted" sids, or the trusted domain relationship failed,
or someone's been mesing with a sam db. etc.
More information about the samba-technical