The POSIX offset is a mechanism that Interix uses to create user identifiers (UIDs) and group identifiers (GIDs) that can represent Windows security identifiers (SIDs) throughout a large network. Occasionally, when a network contains a very large number of domains and one or more domains contain a large number of users, the POSIX offsets for a domain might need to be adjusted to prevent value conflicts. This topic describes how Interix constructs UIDs and GIDs using the POSIX offset, problems that can be caused by unusual networks, and how to deal with those problems.
UNIX UIDs and GIDs are integers. Originally 16-bit values, UIDs and GIDs are now often larger values on newer versions of UNIX, including Interix. UIDs and GIDs are guaranteed to be unique within a single computer, although tools such as Network Information Service (NIS) can be used to distribute UIDs and GIDs among several computers, ensuring that they are unique throughout a local-area network.
(Because UIDs and GIDs are so similar in their semantics and interpretation, they will be treated as being equivalent in this topic. Consequently, you can assume that references to UIDs apply equally to GIDs.)
The Windows equivalent of the UID is the security identifier
(SID), a string-like object consisting of multiple components
usually represented in the form
A SID is composed of two parts, a domain identifier and a relative identifier (RID). The domain identifier is unique across all domains in all networks. RID, values, on the other hand, are unique only within a given domain.
Because Interix relies on the security mechanisms provided by Windows as the platform for its own UNIX-style security, Interix must be able to represent SIDs as UIDs. Within the context of a single Windows computer or even a Windows networking domain, this is rarely a problem because a 32-bit UID can theoretically represent any one of about 4 billion users, far more than any domain or collection of domains would require. The problem is that UIDs have no inherent structure, so it is difficult to ensure their uniqueness across multiple domains. The POSIX offset, however, provides a solution to this problem.
Somewhat like a SID, an Interix UID consists of two major parts: the POSIX offset, which identifies a trusted domain within the network, and an RID that identifies a user or group in that domain. The POSIX offset occupies the high-order 12 bits of the 32-bit UID, while the low-order 20 bits contains the RID. This means that, in theory at least, an Interix UID can represent any one of approximately 1 million users in any one of more than 4000 trusted domains.
These limits are well within the requirements of most network configurations. In those rare cases where a domain must contain more than a million users, however, the size of the POSIX offset can be decreased to accommodate a larger RID and hence, more users in the domain. This means that the possible number of trusted domains would have to be decreased.
Whenever a trust relationship is created between two domains, the domain controller of the domain establishing the trust relationship assigns a POSIX offset value to the other, trusted domain. Because these values are assigned beginning with the high-order bits, the domains added first can contain more RIDs (users) than domains for which trust relationships are created later. This distribution (largest domains trusted first) might not meet the network's requirements.
An additional problem with this scheme is the fact that the POSIX offset value is assigned by a domain controller based on the order in which the trust relationship was created. That means that in a network with two domains that trust each other, each domain will assign the same POSIX offset to the other. As a consequence, there will be considerable overlap between the UID values (the combination of POSIX offset and RIDs) of the two domains. This can create a problem when files are transferred from one domain to another by utilities such as pax(1) that preserve ownership information for files.
You can use the psxoffset(1) utility to assign POSIX offset values to the domains trusted by a domain. This can help you achieve either of two goals:
Typically, the first step is to use the
After the new POSIX offset values have been assigned in a domain, every computer in the domain running the Interix subsystem must be restarted to ensure that they receive the new values.