[Samba] SIDs and UIDs and RIDs - Oh My!

John H Terpstra jht at Samba.Org
Sun Aug 14 00:47:46 GMT 2005


OK - I'll bite!

Clearly you have read the documentation I have written and find it deficient. 
That's OK! Now, will you help me to  fix the deficiency please?

I need your help to make the documentation more useful.

Below is my side of this challenge you have issued. Please help me over my 
myopia.

On Saturday 13 August 2005 18:00, Moondance Foxmarnick wrote:
> I'm trying to grasp pg. 154 of the "Official SAMBA-3" book by Terpstra and
> Vernooij and I'm just missing a critical networking concept.

Good. Let's fix this now.

I presume that we are talking about the current version of this book. Right?
Here's the URL:

	http://www.samba.org/samba/docs/Samba3-HOWTO.pdf

If this is NOT the version you checked, please let me know precisely the URL 
from which you obtained this and the creation date so I can refer to the same 
document as you have.

> I understand that SIDs are the numerical identification of a user for the
> Windows world.

Correct. I checked the index for RID. The first reference is in section 4.1 
(page 46 in my build) where it says:

<quote>
A domain provides a unique network security identifier (SID). Domain user and 
group security identifiers are comprised of the network SID plus a relative 
identifier (RID) that is unique to the account. User and group SIDs (the 
network SID plus the RID) can be used to create access control lists (ACLs) 
attached to network resources to provide organizational access control. UNIX 
systems recognize only local security identifiers.
</quote>

So from this it might be interpreted that each Windows account has a unique 
RID, just as a UNIX user has a unique UID. Every Windows machine and every 
Windows security domain has a unique SID. A user SID is made up of the 
machine or domain SID and is catenated with a RID.

If that is not your interpretation please help me to understand the source of 
confusion in the quoted section.

> I understand that UIDs are the equivalent for the *nix world.

A user account that has been created on a Windows workstation will have a 
locally assigned RID. If an account is created in a Windows NT4 or Active 
Directory Domain it will be allocated a unique RID within that security 
context.

> But what the @$@! is a Relative IDentifier (RID)?!?

A RID is like a UID or a GID. Where UNIX has separate IDs for users and 
groups, Windows has just one - the RID.

But the workstation referred to above has its SID. Every Windows workstation 
has a unique SID. Every Windows NT4 or ADS domain has a SID also.

A user SID is made up of the SID of the security context within which it is 
created plus the RID.

A SID looks like this:

	S-1-5-21-11009899-23411980-22115678

If the user RID within the context of that SID has the value 879, then the 
user SID will be:

	S-1-5-21-11009899-23411980-22115678-879

>
> On page 153 the command to map a windows group to a *nix group - no mention
> of RIDs.

Sorry. I really goofed on that didn't I!

> Then on 154 it is stressed that under no circumstances should your *nix
> groups or users trod on window's assigned RIDs for Domain Admins, Domian
> Users, et. all. Another example of groupmap - oh look it lists a RID?

Please explain. What is your point now?

> No mention as to where a RID comes from or can be viewed.

Really? I believe that is was in fact covered in section 4.1 - but if that is 
not good enough please give me suggested text and a place you would like to 
see it located within the document (by section number please - not by page 
number).

> Do they mean that I can't have a user in Fedora that is 500? 

Sheesh! Really not clear is it! UIDs are mapped to RIDs.

Since Windows allocates RIDs sequentially for users, groups and for trust 
accounts we have to provide a way of mapping all UNIX users to a RID that is 
absolutely unique. So Samba does algorithmic mapping. The RIDs are calculated 
like this:

	User_RID = UID * 2 + 1000
	
	Group_RID = GID * 2 + 1001

That means that a UID of 500 will produce a RID of 2000.

> Isn't that a UID? 

No! I think I have clarified that.

> Is a UID a RID? 
No. A UID is a UNIX identifier. A RID is a Windows identifier. Samba provides 
means to map them, but you can override the algorithmic mapping using the 
pdbedit and the net utilities. If you do override the mapping, just make sure 
you get no overlap between Windows user and group RIDs.

> I've used Fedora for a year now and have never typed a  RID modifying 
> command. 

That is not a crime. No penalty is due. Most admins never need to mess with 
RIDs. If you follow the guidelines I documented you should not ever need to 
mess with the RIDs. That's the whole point of following standardized 
procedures as shown in the documentation.

> 
> I'm sure this is just so basic. But I don't know it and can't find it and
> it's critical to understand it.

Right. Now that I have explained it, is this any clearer? If it is, please 
help me by rewriting or ammending the documentation to remove the confusion. 

When can I expect your patch, documentation update submission or a detailed 
bug report on https://bugzilla.samba.org to help get this straightened out?

- John T.


More information about the samba mailing list