Do SID and UID mapping need to be one-to-one ?

Shlomi Yaakobovich Shlomi at
Mon Nov 6 09:01:47 GMT 2006

Hello members of Samba technical :)

I have a question regarding the tight coupling of SIDs to UIDs in winbindd's idmap_tdb.

If we have UID1 -> SID1, UID2 -> SID2, SID2 -> UID2, SID1 -> UID1 in the idmap - and we want to map UID1 <-> SID2 - to my understanding all of the above mappings will be deleted, and the new mappings will be created. There is also code in idmap_tdb  (in db_get_id_from_sid) that specifically checks that the UID retrieved by the SID is equal to the SID retrieved by the UID. (err, that sentence was confusing a bit, basically it checks that if UID1->SID1 then SID1->UID1.)

There are cases I can imagine (e.g - user mapping) where I can see a need for many-to-one SID to UID mappings (although, UID to SID mappings should remain one-to-one), for instance, if I have:

UNIX users a
Windows users DOM+a, DOM+b

And I manually map DOM+b into user a (and user DOM+a is implicitly mapped into user a) then I'd like to see

UID(a)->SID(DOM+a)/SID(DOM+b) (doesn't really matter, I'd keep "last logged on")

In this way actions on SIDs send from the client make sense, and translations back to the client at least keep some semblance of sanity...

So, I guess my question is simply - is there a compelling reason to enforce one-to-one mappings in the idmap ? I've removed them in my test environment and played with them a bit and nothing seriously bad happened - but I'm wondering what the original reason for having the code in place is?

Thanks in advance!
(This mail is forwarded from one of my colleagues, who for some reason can't send this himself...)

More information about the samba-technical mailing list