SMS/SAM winbind

Andrew Bartlett abartlet at
Tue Jul 2 17:26:01 GMT 2002

"Stefan (metze) Metzmacher" wrote:
> Approach to handle the SID mapping.
> I preferr to have a database (or config options in smb.conf) for the
> following DATA:
> (Builtin and OurDomain):
>                  SID: S-1-5-21-4158354609-2045536973-4240204567
>                  uid: 20000-30000
>                  gid: 15000-25000
> TrustDomainA: (with NT4 Server)
>                  SID: S-1-5-21-4158354609-2045536973-4240204567
>                  uid: 20000-30000
>                  gid: 15000-25000
> TrustDomainB:   (with ADS Server)
>                  SID: S-1-5-21-1354354609-4598675973-4240286745
>                  uid: 40000-50000
>                  gid: 40000-50000
> ------------------------------------------------------
> I would preferr that every SAM packend has it's own sid mapping for the
> secified domain SID or {u,g}id range. (e.g. sam_ldap would store it's
> mapping's in ldap, sam_tdb stores it in a tdb, or do it with algorithmic
> backend...)
> And for Trusted domains winbind is doing the mapping for the domain sid and
> {u,g}id ranges.

I don't think this is the right way to go.  This stuff is messy -
becouse we have this particular problem:

While a system might become a PDC, be demoted/premoted, and end up a
workstation agian, the files on that system are still owned by users -
users that are no longer in the SAM - becouse the SAM 'went away'.  We
need to keep that 'uid/gid -> SID' mapping, or we will never find the
real owner of those files.  Worse still, we might reallocate that UID to
another user - who then gets files he should not have access to...

As such, we should keep the SID mapping seperate to the SAM issue.  This
allows them to be stored in a local persistant TDB (like winbind uses)
or in some other form - which can be pluggable if required.

The issues of authenticaion/user listing and unix identity occur at
different times, and I don't think that seperating them (at least
logicly) will raise particular problems.

Depending on the design, it should be possible to keep such information
with the SAM, but just not via that interface.  This should allow it to
be easily extracted back to a tdb on demotion back to a fileserver etc.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list