>Why don't we just follow Fedora Linux here and use a mapping to either
>99 (nobody) or 65534 (nfsnobody)? Both uid values are ununsed in the
>mapping and 65534 aka 0xfffe has the additional advantage that it's not
>mapped at all (all values between 0x1000 and 0xffff are invalid).
>
>Also, since 65534 is -2 in a 16 bit uid it seems like a natural choice
>to me.
>
>So, what about S-1-0-65534 <-> 65534, name of "{nfs}nobody"?
I am happy with the S-1-0-65534 *SID*, but I note that the 65534 *UID* is
perhaps *not* a good choice. It is actually already mapped to
S-1-5-15-4095, according to your own [IDMAP] document:
S-1-5-X-RID <=> uid/gid: 0x1000 * X + RID
With X=15 and RID=4095, we get uid==65534. Unfortunately S-1-5-15 is the
SID for "This Organization” according to the “Well-known security
identifiers in Windows operating systems” document [WKSID]. OTOH, because
S-1-5-15 is a “leaf” SID and not a “namespace” it may be possible to
assume that the S-1-5-15-4095 SID cannot appear (I am not sure about that).
BTW, I have here a partitioning of the UID namespace that may help choose
the right mapping:
/*
* UID namespace partitioning (from [IDMAP] rules):
*
* 0x000000 + RID S-1-5-RID,S-1-5-32-RID
* 0x000ffe OtherSession
* 0x000fff CurrentSession
* 0x001000 * X + RID S-1-5-X-RID ([WKSID]:
X=1-15,17-21,32,64,80,83)
* 0x010000 + 0x100 * X + Y S-1-X-Y ([WKSID]: X=1,2,3,4,5,9,16)
* 0x030000 + RID S-1-5-21-X-Y-Z-RID
* 0x060000 + RID S-1-16-RID
* 0x100000 + RID S-1-5-21-X-Y-Z-RID
*/
Clearly the namespace is very busy with multiple overlapping ranges.
With all that and to help conclude this thread I gather here all the
proposed mappings. Corinna, I will use the one which you prefer the most:
S-1-0-65534 <-> 65534
S-1-0-65534 <-> -1==0xffffffff
S-1-0-65534 <-> -2==0xfffffffe
S-1-0-99 <-> -1==0xffffffff
S-1-0-99 <-> -2==0xfffffffe
Bill
[IDMAP] https://cygwin.com/cygwin-ug-net/ntsec.html
[WKSID] https://support.microsoft.com/en-us/kb/243330
