> BTW, nasty as it is, this _is_ relevant. I've come across
> this at quite a number of sites already.
yes, I can see it matters.
What do you think of the strategy of mapping both the old SID of the
user and the new SID of the user to the same unix uid? That's
presuming of course that we can detect this (I can think of some ways
we might tackle that aspect of it).
The advantage of mapping both the old SID and the new SID to the same
uid is that ACLs keep working really well, as does file ownership. The
disadvantage would seem to be that we would break with the idea of
a one-to-one mapping of uid to SID. I can't see why keeping it
one-to-one is vital.
As far as detecting it goes, what we'd really need to detect is the
domain conversion itself. Then doing the actual mapping shouldn't be
too hard, as it would be a pretty good bet that the usernames are kept
the same (not guaranteed I know, but should be pretty good).