[Samba] Domain SID vs. Local SID on Domain Controller & SID requirements

[simo]

On Tue, 2009-09-15 at 11:42 -0700, Linda Walsh wrote:
> IF a samba server is setup to be a domain controller, should
> it's local SID = the domain SID?

yes the PDC exports the "local SAM" as the "domain SAM"
(the SAM is the DB where user information is stored including SIDs)

> Also, what are the requirements of a SID?
> 
> I usually see S-1-5-21-x-y-z, where x,y,z = 10 digits, but
> could x,y,z be 1,2,3 (for example)?   I.e. do they have to be
> 10 digit numbers or can they be shorter? 

They are random 32bit integers, they can be any number between 1 and
2^32-1

> If I have a simple setup, and want a sid I can remember can I
> just make it 'short'?

No, users SID are composed of Domain SID + RID, the Domain SID part is
identical for all domain user and is generated once by the PDC at
installation time.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>