Mapping Windows groups to uids (with idmap and rid)

Kai Blin kai at
Wed Oct 22 05:18:09 GMT 2008

On Tuesday 21 October 2008 19:35:59 Assar wrote:
> I discovered that in Windows, files can be owned by a group that this
> is not supported by Samba (3.2.3).  In my case, I'm using idmap and
> rid.

It's actually not supported by POSIX. 

> How can these Windows groups be mapped to uids?
> If my limited understanding is correct, the mapping that you have are:
> (with idmap and rid - perhaps this is not the case in general?)
> Windows group: SID=s0, RID=r0          <-   -> gid_t = g0 = f(r0)
> Windows user:  SID=s1, RID=r1          <-   -> uid_t = u1 = f(r1)

Sort of. IIRC there's an idmap plugin to just map rids to uids or gids 
directly. However, the RID part is only unique per domain SID. So this type 
of mapping breaks down if there's e.g. trust relationships.

> And if I understand this correctly, the RID namespace is global, so
> there can never be a windows group and user with the same RID?

Well, they're unique per domain SID. But of course it's just as easy to do 
what you're suggesting below with SIDs instead of RIDs.

> If that's the case, what's to stop us from defining a mapping:
> Windows group: SID=s0, RID=r0           <- -> uid_t = u0 = g0 = f(r0)
> If the RID namespace is the same, there should not exist a user with
> RID=r0 and this mapping would be unambiguous?

That's how Samba4 idmap works (if you replace the use of the RID by the full 
SID). It should be possible to implement this for Samba3 as well. However, 
the way Samba3 handles users is a bit different, so perhaps someone who has 
more experience with the related Samba3 code can comment if this would break 
any assumptions Samba3 makes.


Kai Blin
WorldForge developer
Wine developer
Samba team member
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :

More information about the samba-technical mailing list