About Winbindd and IDMapping

The Winbind service

Winbindd is a daemon that resolves names in a UNIX environment and names and groups in an Active Directory domain. It implements the concept of IDMapping (or IDMap) to convert the SIDs of the Windows world (eg. S-1-5-21-4262773471-1330489575-488031063-2616) to a UID or GID of the Unix world, and vice versa.

Other tools for mapping between SIDs and UIDs exist, such as the SSSD service. Depending on the use case, it will be preferable to use one or the other. For example, we recommend using Winbind on file servers, and :program:`SSSD on client computers.

The concept of SID

In the Windows environment, each user, each machine and each group is identified with a unique identifier, the SID. The SID can be a short SID (e.g. S-1-0, S-1-5-32-544), which corresponds to a well-known-SID, or a long SID (S-1-5-21-4262773471- 1330489575-488031063-2616).

The group Administrators which is local to a machine (not to be confused with the group Domain Admins which is global to the domain), is referenced with a short SID : S-1-5-32-544.

A long SID can refer to a domain user, but also to a local user created on the machine. In this second case, the authentication domain is the machine itself. A long SID has two parts, the first part is the same for all users in the domain, and the last group of numbers, called the RID is unique for each user.

For example, in SID S-1-5-21-4262773471-1330489575-488031063-2616, the domain SID is S-1-5-21-4262773471-1330489575-488031063 and it will be the same for all users, machines and groups in the domain, and the RID is -2616, and it will be unique for each user, machine and group in the domain.

There is a list of Well-Known-RIDs that will be the same for all domains. There are several tens of Well-Known-RIDs, the main ones to remember are the following:

  • -500 : Administrator;

  • -512 : Domain Admins;

  • -513 : Domain Users;

  • -515 : Domain Computers;

Note

For your information, a short SID, in addition to referring to a user or group, may refer to a concept. For example, the SID S-1-16-12288 is actually a security token which gives a high level of execution to the current process (see UAC).

You can find a list of existing SIDs (short SIDs and long SIDs) by visiting this link.

The IDMap concept

IDMap is used to map a Windows ID (SID) to a Linux ID (UID/GID). It is necessary to define a mapping scheme since the two environments have different ways of referring to users, groups and machines. The concept of SIDs in Windows environments is much broader than the concept of UIDs in Unix environments, and allows you to define whether a user is local or remote, whether he is part of one domain or another. The Unix environment only gives an integer for this.

There are several programs for maintaining the IDMap. The default service offered by Samba is Winbind. The one offered by RedHat is SSSD. Both solutions have their advantages and disadvantages. At Tranquil IT, we commonly use Winbind on file servers, while we use SSSD on Linux workstations.

There are three main ways of making a correspondence table between the two worlds, plus a fourth:

  • TDB;

  • RFC2307;

  • RID;

  • RID with self-generated offset (SSSD mode);

The xidnumber concept

In Windows environments, it is possible to have a group that owns a file or directory. However, in the Unix environment, the owner of a file is always a user.

In the case of the SYSVOL directory that contains the GPOs on an Active Directory server, there are certain GPO directories that belong to the Domain Admins group. Microsoft GPO clients are very strict on the permissions of the SYSVOL directory, and if the permissions are not compliant, the GPOs will not be applied.

To solve this problem, Samba has developed the concept of xidNumber (by extension of uidNumber and gidNumber). A xidnumber can be used indifferently for a group right or a user (owner) right.

The RFC2307 mapping cannot correctly support xidNumber operation because it does not guarantee that a user and a group will not have the same ID. Also the RID mode is currently not supported on domain controllers. This is why in our documentation we recommend to use TDB mapping on Samba domain controllers.