Security Identifier (SID) to User Identifier (uid) Resolution System

John E. Malmberg wb8tyw at qsl.net
Wed Jan 5 05:58:28 GMT 2000 

From: Luke Kenneth Casson Leighton <lkcl at samba.org>

> On Tue, 4 Jan 2000, Cole, Timothy D. wrote:
>
> > Actally, there's another rationale at work here, too... regardless
> > of how the actual table is stored (I imagine in practice it'd be one, or
at
> > most two, tables), there are really three "logical" tables:
> >
> > 1. sid -> posix uid/gid
> > 2. uid -> sid
> > 3. gid -> sid
>
> note: sid MUST be unique in all three "logical" tables.  uid MUST be
> unique in "logical" tables 1 and 2.  gid MUST be unique in "logical"
> tables 1 and 3.
>

I do not know if you can use this in the general POSIX world, but in
OpenVMS, only "logical table 1" is needed.

That is because all UIDs are 32 bit, with the sign bit clear, as the GID is
the upper word of a UID and can not be separated.

All pure GIDs are represented internally as 15 bits of a high word, and the
low word is set to 0xFFFF.

A third class of IDs known as resource Identifiers, that never correspond to
a specific GID or UID map to a 32 bit number with a sign bit set.

Seems complex, doesn't it?  Think of SUBNET masks and look again.  The logic
to test if an arbitrary UID/GID/ResourceID applies is very simple and
compact.


Now how to do that for a general POSIX case?

Is the UID of 0xFFFF legal?  If it is not, then it could be used indicate a
UID of a UID/GID pair that just represented a group.

Using a structure of a {uid_t low; gid_t high} to store the mappings, could
it work out that a specific NT SID would map to a specific GID/UID pair.

For those host operating systems that support ACLs, then an NT SID could map
to a specific UID, or a specific UID/GID pair, or a specific GID.  I do not
know if any UNIX operating system has the concept of a RIGHTS identifier
separate from a GID.

Still only one table is needed, and because the UID/GID information can be
encoded/decoded easily, only one translation routine is needed.

Of course your type code could also be used.  But now depending on how you
look at the issue:

OpenVMS has either:

1. sid -> UID/GID/RightsID

    or

1. sid -> UID          31 bits
2. sid -> GID          15 bits
3. sid -> RightsID    32bits, high bit always set.

I do not know if any of this helps at all, it is just an alternative
viewpoint.

-John
wb8tyw at qsl.net

More information about the samba-technical mailing list