Security Identifier (SID) to User Identifier (uid) Resolution
System
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Wed Jan 5 16:41:45 GMT 2000
> -----Original Message-----
> From: John E. Malmberg [SMTP:wb8tyw at qsl.net]
> Sent: Wednesday, January 05, 2000 0:55
> To: Multiple recipients of list SAMBA-TECHNICAL
> Subject: Re: Security Identifier (SID) to User Identifier (uid)
> Resolution System
>
> From: Luke Kenneth Casson Leighton <lkcl at samba.org>
>
> > On Tue, 4 Jan 2000, Cole, Timothy D. wrote:
> >
> > > Actally, there's another rationale at work here, too... regardless
> > > of how the actual table is stored (I imagine in practice it'd be one,
> or
> at
> > > most two, tables), there are really three "logical" tables:
> > >
> > > 1. sid -> posix uid/gid
> > > 2. uid -> sid
> > > 3. gid -> sid
> >
> > note: sid MUST be unique in all three "logical" tables. uid MUST be
> > unique in "logical" tables 1 and 2. gid MUST be unique in "logical"
> > tables 1 and 3.
> >
>
> Now how to do that for a general POSIX case?
>
> Is the UID of 0xFFFF legal? If it is not, then it could be used indicate
> a
> UID of a UID/GID pair that just represented a group.
>
Not all POSIX systems have 16-bit UIDs.
> Using a structure of a {uid_t low; gid_t high} to store the mappings,
> could
> it work out that a specific NT SID would map to a specific GID/UID pair.
>
> For those host operating systems that support ACLs, then an NT SID could
> map
> to a specific UID, or a specific UID/GID pair, or a specific GID. I do
> not
> know if any UNIX operating system has the concept of a RIGHTS identifier
> separate from a GID.
>
Not exactly. Some ACEs (i.e. on HP-UX 10.xx) can contain user.group
combinations, however. For the purposes of the ACL code, this would
probably have to be done like:
S-1-<domain>-<group rid>-<user rid>
That only allows users and groups in the same domain to be combined
in that fashion, but that's really the only case where it would be needed
anyway.
More information about the samba-technical
mailing list