RSS feed

ObjectSid to uid/gid vs sssd

[Date Prev][Date Next] [Thread Prev][Thread Next]

ObjectSid to uid/gid vs sssd

We are using the objectSid:S-1-5-21-3623811015-3361044348-30300820 feature of 
nslcd to lookup against active directory. It correctly results in reasonable 
The issue we ran into is that to some of our servers are using sssd to fully 
join an AD domain, yet we need ids to be consistent. The way the two 
translate/generate uids/gids is slightly different.

  zack: uid=1234
  bob:  uid=14567

  zack:  1351801234
  bob:   1351814567
(The same rule holds true for groups as well.)

 We can see the constant value of 1351800000 is being added on the SSSD side 
(derived from the domain part of the objectSID) with the last 5 digits beings 
the same as nslcd. 
To make this consistent we’ve added a config option to nslcd called 
“sid_conversion_offset” that will get added (and subtracted when going the 
other direction) to the value nslcd typically generates.
ex in nslcd.conf:
sid_conversion_offset 1351800000

produces results that match sssd, i.e.
  zack:  1351801234
  bob:   1351814567

another use case would be to ensure that everything in AD is above a certain 
cutoff. It was only a matter of a few loc to add this capability, Happy to 
share changes if interested, or if its too niche thats fine too.

Zack Ramjan

To unsubscribe send an email to or see