Security Identifier (SID) to User Identifier (uid) Resolution
System
Steve Langasek
vorlon at netexpress.net
Wed Jan 5 15:49:12 GMT 2000
On Wed, 5 Jan 2000, John E. Malmberg wrote:
> From: Luke Kenneth Casson Leighton <lkcl at samba.org>
> > > Actally, there's another rationale at work here, too... regardless
> > > of how the actual table is stored (I imagine in practice it'd be one, or
> at
> > > most two, tables), there are really three "logical" tables:
> > > 1. sid -> posix uid/gid
> > > 2. uid -> sid
> > > 3. gid -> sid
> > note: sid MUST be unique in all three "logical" tables. uid MUST be
> > unique in "logical" tables 1 and 2. gid MUST be unique in "logical"
> > tables 1 and 3.
> I do not know if you can use this in the general POSIX world, but in
> OpenVMS, only "logical table 1" is needed.
> That is because all UIDs are 32 bit, with the sign bit clear, as the GID is
> the upper word of a UID and can not be separated.
> All pure GIDs are represented internally as 15 bits of a high word, and the
> low word is set to 0xFFFF.
> Is the UID of 0xFFFF legal? If it is not, then it could be used indicate a
> UID of a UID/GID pair that just represented a group.
Any 32-bit integer is a valid UID or GID under POSIX (well, assuming a 32-bit
or greater size for uid_t).
It's an interesting idea. The same result could also be achieved using a
uid_t/gid_t and a flag to tell which it is. You still only need one database,
your POSIX key just has to include the id and the flag. I don't see any clear
advantage to one method over the other.
> Using a structure of a {uid_t low; gid_t high} to store the mappings, could
> it work out that a specific NT SID would map to a specific GID/UID pair.
> For those host operating systems that support ACLs, then an NT SID could map
> to a specific UID, or a specific UID/GID pair, or a specific GID. I do not
> know if any UNIX operating system has the concept of a RIGHTS identifier
> separate from a GID.
But an SID under NT always represents a single user OR a single group. It
never represents both at the same time. I think it would unnecessarily
complicate matters to try to map SIDs to more than one POSIX entity.
-Steve Langasek
postmodern programmer
More information about the samba-technical
mailing list