There are already some suggestions about how to do this in a posting by Ryan Thomson on freeipa-users https://www.redhat.com/archives/freeipa-users/2011-August/msg00124.html.

The DNA plugin already handles SIDs, what we need is to add configuration to do so when needed.

Actually thinking again I guess what we need is to make sure we can properly hanlde MPG groups, in the sense that we should not ever generate a new SID for them (Windows can't handle groups and users with the same name and in general in windows private groups do not make sense, so we should just ignore them and provide for a "fallback" primary group. Whether this should be done within the DNA plugin (prevent creating SIDs for MPGs) or through other configuration (not setting the samba group objectclass on MPGs) needs to be decided.

IIRC the SID is just another form of a UUID but are there any requirements for generating one?

Uniqueness and the base (which is the domain SID) must be common to all the SIDs of a domain.

In theory we could simply have SID = DomainSID+gidNumber
By default in IPA we de facto consolidated the uid and gid number spaces so at most the MPG group has the same numerical gid value as the corresponding user's uid so in the default configuration there is no risk that you get a duplicate SID.

Except in case the admin creates duplicate UID/GIDs or UID and GID numerically overlap so that a user and group end up with the same SID.

Unfortunately these last cases can still happen even though the defaults are sane, so I am not sure we should actually have SID generated as DomainSID+gidNumber unless we find a clever way to deal with it when we end up creating a duplicate.

Moving to January

Ongoing discussion on freeipa-devel

Waiting for other trust related patches to be commited.

We wont use the DNA plugin, algorithmic scheme is described in #2825.