Security Identifier (SID) to User Identifier (uid) Resolution System

Steve Langasek vorlon at
Wed Jan 5 15:49:12 GMT 2000

On Wed, 5 Jan 2000, John E. Malmberg wrote:

> From: Luke Kenneth Casson Leighton <lkcl at>

> > > Actally, there's another rationale at work here, too... regardless
> > > of how the actual table is stored (I imagine in practice it'd be one, or
> at
> > > most two, tables), there are really three "logical" tables:

> > > 1. sid -> posix uid/gid
> > > 2. uid -> sid
> > > 3. gid -> sid

> > note: sid MUST be unique in all three "logical" tables.  uid MUST be
> > unique in "logical" tables 1 and 2.  gid MUST be unique in "logical"
> > tables 1 and 3.

> I do not know if you can use this in the general POSIX world, but in
> OpenVMS, only "logical table 1" is needed.

> That is because all UIDs are 32 bit, with the sign bit clear, as the GID is
> the upper word of a UID and can not be separated.

> All pure GIDs are represented internally as 15 bits of a high word, and the
> low word is set to 0xFFFF.

> Is the UID of 0xFFFF legal?  If it is not, then it could be used indicate a
> UID of a UID/GID pair that just represented a group.

Any 32-bit integer is a valid UID or GID under POSIX (well, assuming a 32-bit
or greater size for uid_t).

It's an interesting idea.  The same result could also be achieved using a
uid_t/gid_t and a flag to tell which it is.  You still only need one database,
your POSIX key just has to include the id and the flag.  I don't see any clear
advantage to one method over the other.

> Using a structure of a {uid_t low; gid_t high} to store the mappings, could
> it work out that a specific NT SID would map to a specific GID/UID pair.

> For those host operating systems that support ACLs, then an NT SID could map
> to a specific UID, or a specific UID/GID pair, or a specific GID.  I do not
> know if any UNIX operating system has the concept of a RIGHTS identifier
> separate from a GID.

But an SID under NT always represents a single user OR a single group.  It
never represents both at the same time.  I think it would unnecessarily
complicate matters to try to map SIDs to more than one POSIX entity.

-Steve Langasek
postmodern programmer

More information about the samba-technical mailing list