All operating systems depend on the provision of user credentials acceptable to the platform. UNIX requires the provision of a user identifier (UID) as well as a group identifier (GID). These are both simple integer numbers that are obtained from a password backend such as /etc/passwd.

Users and groups on a Windows NT server are assigned a relative ID (RID) which is unique for the domain when the user or group is created. To convert the Windows NT user or group into a UNIX user or group, a mapping between RIDs and UNIX user and group IDs is required. This is one of the jobs that winbind performs.

As winbind users and groups are resolved from a server, user and group IDs are allocated from a specified range. This is done on a first come, first served basis, although all existing users and groups will be mapped as soon as a client performs a user or group enumeration command. The allocated UNIX IDs are stored in a database file under the Samba lock directory and will be remembered.

The astute administrator will realize from this that the combination of pam_smbpass.so, winbindd , and a distributed passdb backend such as ldap will allow the establishment of a centrally managed, distributed user/password database that can also be used by all PAM-aware (e.g., Linux) programs and applications. This arrangement can have particularly potent advantages compared with the use of Microsoft Active Directory Service (ADS) insofar as the reduction of wide-area network authentication traffic.