@@ -56,21 +56,21 @@ type SessionGetter interface {

 // BuildManager is shared across all Builder objects

 type BuildManager struct {

-	idMappings *idtools.IDMappings

-	backend    builder.Backend

-	pathCache  pathCache // TODO: make this persistent

-	sg         SessionGetter

-	fsCache    *fscache.FSCache

+	idMapping *idtools.IdentityMapping

+	backend   builder.Backend

+	pathCache pathCache // TODO: make this persistent

+	sg        SessionGetter

+	fsCache   *fscache.FSCache

 }

 // NewBuildManager creates a BuildManager

-func NewBuildManager(b builder.Backend, sg SessionGetter, fsCache *fscache.FSCache, idMappings *idtools.IDMappings) (*BuildManager, error) {

+func NewBuildManager(b builder.Backend, sg SessionGetter, fsCache *fscache.FSCache, identityMapping *idtools.IdentityMapping) (*BuildManager, error) {

 	bm := &BuildManager{

-		backend:    b,

-		pathCache:  &syncmap.Map{},

-		sg:         sg,

-		idMappings: idMappings,

-		fsCache:    fsCache,

+		backend:   b,

+		pathCache: &syncmap.Map{},

+		sg:        sg,

+		idMapping: identityMapping,

+		fsCache:   fsCache,

 	}

 	if err := fsCache.RegisterTransport(remotecontext.ClientSessionRemote, NewClientSessionTransport()); err != nil {

 		return nil, err

@@ -111,7 +111,7 @@ func (bm *BuildManager) Build(ctx context.Context, config backend.BuildConfig) (

 		ProgressWriter: config.ProgressWriter,

 		Backend:        bm.backend,

 		PathCache:      bm.pathCache,

-		IDMappings:     bm.idMappings,

+		IDMapping:      bm.idMapping,

 	}

 	b, err := newBuilder(ctx, builderOptions)

 	if err != nil {

@@ -159,7 +159,7 @@ type builderOptions struct {

 	Backend        builder.Backend

 	ProgressWriter backend.ProgressWriter

 	PathCache      pathCache

-	IDMappings     *idtools.IDMappings

+	IDMapping      *idtools.IdentityMapping

 }

 // Builder is a Dockerfile builder

@@ -175,7 +175,7 @@ type Builder struct {

 	docker    builder.Backend

 	clientCtx context.Context

-	idMappings       *idtools.IDMappings

+	idMapping        *idtools.IdentityMapping

 	disableCommit    bool

 	imageSources     *imageSources

 	pathCache        pathCache

@@ -199,7 +199,7 @@ func newBuilder(clientCtx context.Context, options builderOptions) (*Builder, er

 		Aux:              options.ProgressWriter.AuxFormatter,

 		Output:           options.ProgressWriter.Output,

 		docker:           options.Backend,

-		idMappings:       options.IDMappings,

+		idMapping:        options.IDMapping,

 		imageSources:     newImageSources(clientCtx, options),

 		pathCache:        options.PathCache,

 		imageProber:      newImageProber(options.Backend, config.CacheFrom, config.NoCache),

@@ -451,7 +451,7 @@ func downloadSource(output io.Writer, stdout io.Writer, srcURL string) (remote b

 type copyFileOptions struct {

 	decompress bool

-	chownPair  idtools.IDPair

+	identity   idtools.Identity

 	archiver   Archiver

 }

@@ -481,7 +481,7 @@ func performCopyForInfo(dest copyInfo, source copyInfo, options copyFileOptions)

 		return errors.Wrapf(err, "source path not found")

 	}

 	if src.IsDir() {

-		return copyDirectory(archiver, srcEndpoint, destEndpoint, options.chownPair)

+		return copyDirectory(archiver, srcEndpoint, destEndpoint, options.identity)

 	}

 	if options.decompress && isArchivePath(source.root, srcPath) && !source.noDecompress {

 		return archiver.UntarPath(srcPath, destPath)

@@ -499,7 +499,7 @@ func performCopyForInfo(dest copyInfo, source copyInfo, options copyFileOptions)

 		destPath = dest.root.Join(destPath, source.root.Base(source.path))

 		destEndpoint = &copyEndpoint{driver: dest.root, path: destPath}

 	}

-	return copyFile(archiver, srcEndpoint, destEndpoint, options.chownPair)

+	return copyFile(archiver, srcEndpoint, destEndpoint, options.identity)

 }

 func isArchivePath(driver containerfs.ContainerFS, path string) bool {

@@ -517,7 +517,7 @@ func isArchivePath(driver containerfs.ContainerFS, path string) bool {

 	return err == nil

 }

-func copyDirectory(archiver Archiver, source, dest *copyEndpoint, chownPair idtools.IDPair) error {

+func copyDirectory(archiver Archiver, source, dest *copyEndpoint, identity idtools.Identity) error {

 	destExists, err := isExistingDirectory(dest)

 	if err != nil {

 		return errors.Wrapf(err, "failed to query destination path")

@@ -527,17 +527,17 @@ func copyDirectory(archiver Archiver, source, dest *copyEndpoint, chownPair idto

 		return errors.Wrapf(err, "failed to copy directory")

 	}

 	// TODO: @gupta-ak. Investigate how LCOW permission mappings will work.

-	return fixPermissions(source.path, dest.path, chownPair, !destExists)

+	return fixPermissions(source.path, dest.path, identity, !destExists)

 }

-func copyFile(archiver Archiver, source, dest *copyEndpoint, chownPair idtools.IDPair) error {

+func copyFile(archiver Archiver, source, dest *copyEndpoint, identity idtools.Identity) error {

 	if runtime.GOOS == "windows" && dest.driver.OS() == "linux" {

 		// LCOW

 		if err := dest.driver.MkdirAll(dest.driver.Dir(dest.path), 0755); err != nil {

 			return errors.Wrapf(err, "failed to create new directory")

 		}

 	} else {

-		if err := idtools.MkdirAllAndChownNew(filepath.Dir(dest.path), 0755, chownPair); err != nil {

+		if err := idtools.MkdirAllAndChownNew(filepath.Dir(dest.path), 0755, identity); err != nil {

 			// Normal containers

 			return errors.Wrapf(err, "failed to create new directory")

 		}

@@ -547,7 +547,7 @@ func copyFile(archiver Archiver, source, dest *copyEndpoint, chownPair idtools.I

 		return errors.Wrapf(err, "failed to copy file")

 	}

 	// TODO: @gupta-ak. Investigate how LCOW permission mappings will work.

-	return fixPermissions(source.path, dest.path, chownPair, false)

+	return fixPermissions(source.path, dest.path, identity, false)

 }

 func endsInSlash(driver containerfs.Driver, path string) bool {

@@ -10,7 +10,7 @@ import (

 	"github.com/docker/docker/pkg/idtools"

 )

-func fixPermissions(source, destination string, rootIDs idtools.IDPair, overrideSkip bool) error {

+func fixPermissions(source, destination string, identity idtools.Identity, overrideSkip bool) error {

 	var (

 		skipChownRoot bool

 		err           error

@@ -39,7 +39,7 @@ func fixPermissions(source, destination string, rootIDs idtools.IDPair, override

 		}

 		fullpath = filepath.Join(destination, cleaned)

-		return os.Lchown(fullpath, rootIDs.UID, rootIDs.GID)

+		return os.Lchown(fullpath, identity.UID, identity.GID)

 	})

 }

@@ -1,11 +1,17 @@

 package dockerfile // import "github.com/docker/docker/builder/dockerfile"

 import (

-	"errors"

+	"fmt"

+	"os"

 	"path/filepath"

 	"strings"

+	"github.com/Microsoft/go-winio"

 	"github.com/docker/docker/pkg/idtools"

+	"github.com/docker/docker/pkg/reexec"

+	"github.com/docker/docker/pkg/system"

+	"github.com/pkg/errors"

+	"golang.org/x/sys/windows"

 )

 var pathBlacklist = map[string]bool{

@@ -13,9 +19,69 @@ var pathBlacklist = map[string]bool{

 	"c:\\windows": true,

 }

-func fixPermissions(source, destination string, rootIDs idtools.IDPair, overrideSkip bool) error {

-	// chown is not supported on Windows

-	return nil

+func init() {

+	reexec.Register("windows-fix-permissions", fixPermissionsReexec)

+}

+

+func fixPermissions(source, destination string, identity idtools.Identity, _ bool) error {

+	if identity.SID == "" {

+		return nil

+	}

+

+	cmd := reexec.Command("windows-fix-permissions", source, destination, identity.SID)

+	output, err := cmd.CombinedOutput()

+

+	return errors.Wrapf(err, "failed to exec windows-fix-permissions: %s", output)

+}

+

+func fixPermissionsReexec() {

+	err := fixPermissionsWindows(os.Args[1], os.Args[2], os.Args[3])

+	if err != nil {

+		fmt.Fprint(os.Stderr, err)

+		os.Exit(1)

+	}

+}

+

+func fixPermissionsWindows(source, destination, SID string) error {

+

+	privileges := []string{winio.SeRestorePrivilege, system.SeTakeOwnershipPrivilege}

+

+	err := winio.EnableProcessPrivileges(privileges)

+	if err != nil {

+		return err

+	}

+

+	defer winio.DisableProcessPrivileges(privileges)

+

+	sid, err := windows.StringToSid(SID)

+	if err != nil {

+		return err

+	}

+

+	// Owners on *nix have read/write/delete/read control and write DAC.

+	// Add an ACE that grants this to the user/group specified with the

+	// chown option. Currently Windows is not honoring the owner change,

+	// however, they are aware of this and it should be fixed at some

+	// point.

+

+	sddlString := system.SddlAdministratorsLocalSystem

+	sddlString += "(A;OICI;GRGWGXRCWDSD;;;" + SID + ")"

+

+	securityDescriptor, err := winio.SddlToSecurityDescriptor(sddlString)

+	if err != nil {

+		return err

+	}

+

+	var daclPresent uint32

+	var daclDefaulted uint32

+	var dacl *byte

+

+	err = system.GetSecurityDescriptorDacl(&securityDescriptor[0], &daclPresent, &dacl, &daclDefaulted)

+	if err != nil {

+		return err

+	}

+

+	return system.SetNamedSecurityInfo(windows.StringToUTF16Ptr(destination), system.SE_FILE_OBJECT, system.OWNER_SECURITY_INFORMATION|system.DACL_SECURITY_INFORMATION, sid, nil, dacl, nil)

 }

 func validateCopySourcePath(imageSource *imageMount, origPath, platform string) error {

@@ -37,7 +37,7 @@ type Archiver interface {

 	UntarPath(src, dst string) error

 	CopyWithTar(src, dst string) error

 	CopyFileWithTar(src, dst string) error

-	IDMappings() *idtools.IDMappings

+	IdentityMapping() *idtools.IdentityMapping

 }

 // The builder will use the following interfaces if the container fs implements

@@ -68,11 +68,11 @@ func tarFunc(i interface{}) containerfs.TarFunc {

 func (b *Builder) getArchiver(src, dst containerfs.Driver) Archiver {

 	t, u := tarFunc(src), untarFunc(dst)

 	return &containerfs.Archiver{

-		SrcDriver:     src,

-		DstDriver:     dst,

-		Tar:           t,

-		Untar:         u,

-		IDMappingsVar: b.idMappings,

+		SrcDriver: src,

+		DstDriver: dst,

+		Tar:       t,

+		Untar:     u,

+		IDMapping: b.idMapping,

 	}

 }

@@ -185,14 +185,18 @@ func (b *Builder) performCopy(req dispatchRequest, inst copyInstruction) error {

 		return err

 	}

-	chownPair := b.idMappings.RootPair()

+	identity := b.idMapping.RootPair()

 	// if a chown was requested, perform the steps to get the uid, gid

 	// translated (if necessary because of user namespaces), and replace

 	// the root pair with the chown pair for copy operations

 	if inst.chownStr != "" {

-		chownPair, err = parseChownFlag(inst.chownStr, destInfo.root.Path(), b.idMappings)

+		identity, err = parseChownFlag(b, state, inst.chownStr, destInfo.root.Path(), b.idMapping)

 		if err != nil {

-			return errors.Wrapf(err, "unable to convert uid/gid chown string to host mapping")

+			if b.options.Platform != "windows" {

+				return errors.Wrapf(err, "unable to convert uid/gid chown string to host mapping")

+			}

+

+			return errors.Wrapf(err, "unable to map container user account name to SID")

 		}

 	}

@@ -200,7 +204,7 @@ func (b *Builder) performCopy(req dispatchRequest, inst copyInstruction) error {

 		opts := copyFileOptions{

 			decompress: inst.allowLocalDecompression,

 			archiver:   b.getArchiver(info.root, destInfo.root),

-			chownPair:  chownPair,

+			identity:   identity,

 		}

 		if err := performCopyForInfo(destInfo, info, opts); err != nil {

 			return errors.Wrapf(err, "failed to copy files")

@@ -11,11 +11,11 @@ import (

 	"github.com/pkg/errors"

 )

-func parseChownFlag(chown, ctrRootPath string, idMappings *idtools.IDMappings) (idtools.IDPair, error) {

+func parseChownFlag(builder *Builder, state *dispatchState, chown, ctrRootPath string, identityMapping *idtools.IdentityMapping) (idtools.Identity, error) {

 	var userStr, grpStr string

 	parts := strings.Split(chown, ":")

 	if len(parts) > 2 {

-		return idtools.IDPair{}, errors.New("invalid chown string format: " + chown)

+		return idtools.Identity{}, errors.New("invalid chown string format: " + chown)

 	}

 	if len(parts) == 1 {

 		// if no group specified, use the user spec as group as well

@@ -26,25 +26,25 @@ func parseChownFlag(chown, ctrRootPath string, idMappings *idtools.IDMappings) (

 	passwdPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "passwd"), ctrRootPath)

 	if err != nil {

-		return idtools.IDPair{}, errors.Wrapf(err, "can't resolve /etc/passwd path in container rootfs")

+		return idtools.Identity{}, errors.Wrapf(err, "can't resolve /etc/passwd path in container rootfs")

 	}

 	groupPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "group"), ctrRootPath)

 	if err != nil {

-		return idtools.IDPair{}, errors.Wrapf(err, "can't resolve /etc/group path in container rootfs")

+		return idtools.Identity{}, errors.Wrapf(err, "can't resolve /etc/group path in container rootfs")

 	}

 	uid, err := lookupUser(userStr, passwdPath)

 	if err != nil {

-		return idtools.IDPair{}, errors.Wrapf(err, "can't find uid for user "+userStr)

+		return idtools.Identity{}, errors.Wrapf(err, "can't find uid for user "+userStr)

 	}

 	gid, err := lookupGroup(grpStr, groupPath)

 	if err != nil {

-		return idtools.IDPair{}, errors.Wrapf(err, "can't find gid for group "+grpStr)

+		return idtools.Identity{}, errors.Wrapf(err, "can't find gid for group "+grpStr)

 	}

 	// convert as necessary because of user namespaces

-	chownPair, err := idMappings.ToHost(idtools.IDPair{UID: uid, GID: gid})

+	chownPair, err := identityMapping.ToHost(idtools.Identity{UID: uid, GID: gid})

 	if err != nil {

-		return idtools.IDPair{}, errors.Wrapf(err, "unable to convert uid/gid to host mapping")

+		return idtools.Identity{}, errors.Wrapf(err, "unable to convert uid/gid to host mapping")

 	}

 	return chownPair, nil

 }

@@ -5,6 +5,7 @@ import (

 	"path/filepath"

 	"testing"

+	"github.com/docker/docker/api/types"

 	"github.com/docker/docker/pkg/idtools"

 	"gotest.tools/assert"

 	is "gotest.tools/assert/cmp"

@@ -34,7 +35,7 @@ othergrp:x:6666:

 		},

 	}

 	remapped := idtools.NewIDMappingsFromMaps(idMaps, idMaps)

-	unmapped := &idtools.IDMappings{}

+	unmapped := &idtools.IdentityMapping{}

 	contextDir, cleanup := createTestTempDir(t, "", "builder-chown-parse-test")

 	defer cleanup()

@@ -49,56 +50,72 @@ othergrp:x:6666:

 	// positive tests

 	for _, testcase := range []struct {

+		builder   *Builder

 		name      string

 		chownStr  string

-		idMapping *idtools.IDMappings

-		expected  idtools.IDPair

+		idMapping *idtools.IdentityMapping

+		state     *dispatchState

+		expected  idtools.Identity

 	}{

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "UIDNoMap",

 			chownStr:  "1",

 			idMapping: unmapped,

-			expected:  idtools.IDPair{UID: 1, GID: 1},

+			state:     &dispatchState{},

+			expected:  idtools.Identity{UID: 1, GID: 1},

 		},

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "UIDGIDNoMap",

 			chownStr:  "0:1",

 			idMapping: unmapped,

-			expected:  idtools.IDPair{UID: 0, GID: 1},

+			state:     &dispatchState{},

+			expected:  idtools.Identity{UID: 0, GID: 1},

 		},

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "UIDWithMap",

 			chownStr:  "0",

 			idMapping: remapped,

-			expected:  idtools.IDPair{UID: 100000, GID: 100000},

+			state:     &dispatchState{},

+			expected:  idtools.Identity{UID: 100000, GID: 100000},

 		},

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "UIDGIDWithMap",

 			chownStr:  "1:33",

 			idMapping: remapped,

-			expected:  idtools.IDPair{UID: 100001, GID: 100033},

+			state:     &dispatchState{},

+			expected:  idtools.Identity{UID: 100001, GID: 100033},

 		},

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "UserNoMap",

 			chownStr:  "bin:5555",

 			idMapping: unmapped,

-			expected:  idtools.IDPair{UID: 1, GID: 5555},

+			state:     &dispatchState{},

+			expected:  idtools.Identity{UID: 1, GID: 5555},

 		},

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "GroupWithMap",

 			chownStr:  "0:unicorn",

 			idMapping: remapped,

-			expected:  idtools.IDPair{UID: 100000, GID: 101002},

+			state:     &dispatchState{},

+			expected:  idtools.Identity{UID: 100000, GID: 101002},

 		},

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "UserOnlyWithMap",

 			chownStr:  "unicorn",

 			idMapping: remapped,

-			expected:  idtools.IDPair{UID: 101001, GID: 101002},

+			state:     &dispatchState{},

+			expected:  idtools.Identity{UID: 101001, GID: 101002},

 		},

 	} {

 		t.Run(testcase.name, func(t *testing.T) {

-			idPair, err := parseChownFlag(testcase.chownStr, contextDir, testcase.idMapping)

+			idPair, err := parseChownFlag(testcase.builder, testcase.state, testcase.chownStr, contextDir, testcase.idMapping)

 			assert.NilError(t, err, "Failed to parse chown flag: %q", testcase.chownStr)

 			assert.Check(t, is.DeepEqual(testcase.expected, idPair), "chown flag mapping failure")

 		})

@@ -106,32 +123,40 @@ othergrp:x:6666:

 	// error tests

 	for _, testcase := range []struct {

+		builder   *Builder

 		name      string

 		chownStr  string

-		idMapping *idtools.IDMappings

+		idMapping *idtools.IdentityMapping

+		state     *dispatchState

 		descr     string

 	}{

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "BadChownFlagFormat",

 			chownStr:  "bob:1:555",

 			idMapping: unmapped,

+			state:     &dispatchState{},

 			descr:     "invalid chown string format: bob:1:555",

 		},

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "UserNoExist",

 			chownStr:  "bob",

 			idMapping: unmapped,

+			state:     &dispatchState{},

 			descr:     "can't find uid for user bob: no such user: bob",

 		},

 		{

+			builder:   &Builder{options: &types.ImageBuildOptions{Platform: "linux"}},

 			name:      "GroupNoExist",

 			chownStr:  "root:bob",

 			idMapping: unmapped,

+			state:     &dispatchState{},

 			descr:     "can't find gid for group bob: no such group: bob",

 		},

 	} {

 		t.Run(testcase.name, func(t *testing.T) {

-			_, err := parseChownFlag(testcase.chownStr, contextDir, testcase.idMapping)

+			_, err := parseChownFlag(testcase.builder, testcase.state, testcase.chownStr, contextDir, testcase.idMapping)

 			assert.Check(t, is.Error(err, testcase.descr), "Expected error string doesn't match")

 		})

 	}

@@ -1,7 +1,120 @@

 package dockerfile // import "github.com/docker/docker/builder/dockerfile"

-import "github.com/docker/docker/pkg/idtools"

+import (

+	"bytes"

+	"os"

+	"path/filepath"

+	"strings"

-func parseChownFlag(chown, ctrRootPath string, idMappings *idtools.IDMappings) (idtools.IDPair, error) {

-	return idMappings.RootPair(), nil

+	"github.com/containerd/containerd/platforms"

+	"github.com/docker/docker/api/types/container"

+	"github.com/docker/docker/api/types/mount"

+	"github.com/docker/docker/pkg/idtools"

+	"github.com/docker/docker/pkg/jsonmessage"

+	"github.com/docker/docker/pkg/system"

+	"github.com/pkg/errors"

+	"golang.org/x/sys/windows"

+)

+

+func parseChownFlag(builder *Builder, state *dispatchState, chown, ctrRootPath string, identityMapping *idtools.IdentityMapping) (idtools.Identity, error) {

+	if builder.options.Platform == "windows" {

+		return getAccountIdentity(builder, chown, ctrRootPath, state)

+	}

+

+	return identityMapping.RootPair(), nil

+}

+

+func getAccountIdentity(builder *Builder, accountName string, ctrRootPath string, state *dispatchState) (idtools.Identity, error) {

+	// If this is potentially a string SID then attempt to convert it to verify

+	// this, otherwise continue looking for the account.

+	if strings.HasPrefix(accountName, "S-") || strings.HasPrefix(accountName, "s-") {

+		sid, err := windows.StringToSid(accountName)

+

+		if err == nil {

+			accountSid, err := sid.String()

+

+			if err != nil {

+				return idtools.Identity{SID: ""}, errors.Wrapf(err, "error converting SID to string")

+			}

+

+			return idtools.Identity{SID: accountSid}, nil

+		}

+	}

+

+	// Attempt to obtain the SID using the name.

+	sid, _, accType, err := windows.LookupSID("", accountName)

+

+	// If this is a SID that is built-in and hence the same across all systems then use that.

+	if err == nil && (accType == windows.SidTypeAlias || accType == windows.SidTypeWellKnownGroup) {

+		accountSid, err := sid.String()

+

+		if err != nil {

+			return idtools.Identity{SID: ""}, errors.Wrapf(err, "error converting SID to string")

+		}

+

+		return idtools.Identity{SID: accountSid}, nil

+	}

+

+	// Check if the account name is one unique to containers.

+	if strings.EqualFold(accountName, "ContainerAdministrator") {

+		return idtools.Identity{SID: system.ContainerAdministratorSidString}, nil

+

+	} else if strings.EqualFold(accountName, "ContainerUser") {

+		return idtools.Identity{SID: system.ContainerUserSidString}, nil

+	}

+

+	// All other lookups failed, so therefore determine if the account in

+	// question exists in the container and if so, obtain its SID.

+	return lookupNTAccount(builder, accountName, state)

+}

+

+func lookupNTAccount(builder *Builder, accountName string, state *dispatchState) (idtools.Identity, error) {

+

+	source, _ := filepath.Split(os.Args[0])

+

+	target := "C:\\Docker"

+	targetExecutable := target + "\\containerutility.exe"

+

+	optionsPlatform, err := platforms.Parse(builder.options.Platform)

+	if err != nil {

+		return idtools.Identity{}, err

+	}

+

+	runConfig := copyRunConfig(state.runConfig,

+		withCmdCommentString("internal run to obtain NT account information.", optionsPlatform.OS))

+

+	runConfig.ArgsEscaped = true

+	runConfig.Cmd = []string{targetExecutable, "getaccountsid", accountName}

+

+	hostConfig := &container.HostConfig{Mounts: []mount.Mount{

+		{

+			Type:     mount.TypeBind,

+			Source:   source,

+			Target:   target,

+			ReadOnly: true,

+		},

+	},

+	}

+

+	container, err := builder.containerManager.Create(runConfig, hostConfig)

+	if err != nil {

+		return idtools.Identity{}, err

+	}

+

+	stdout := new(bytes.Buffer)

+	stderr := new(bytes.Buffer)

+

+	if err := builder.containerManager.Run(builder.clientCtx, container.ID, stdout, stderr); err != nil {

+		if err, ok := err.(*statusCodeError); ok {

+			return idtools.Identity{}, &jsonmessage.JSONError{

+				Message: stderr.String(),

+				Code:    err.StatusCode(),

+			}

+		}

+		return idtools.Identity{}, err

+	}

+

+	accountSid := stdout.String()

+

+	return idtools.Identity{SID: accountSid}, nil

 }

@@ -267,7 +267,7 @@ func newRouterOptions(config *config.Config, daemon *daemon.Daemon) (routerOptio

 		return opts, errors.Wrap(err, "failed to create fscache")

 	}

-	manager, err := dockerfile.NewBuildManager(daemon.BuilderBackend(), sm, buildCache, daemon.IDMappings())

+	manager, err := dockerfile.NewBuildManager(daemon.BuilderBackend(), sm, buildCache, daemon.IdentityMapping())

 	if err != nil {

 		return opts, err

 	}

@@ -254,7 +254,7 @@ func (container *Container) WriteHostConfig() (*containertypes.HostConfig, error

 }

 // SetupWorkingDirectory sets up the container's working directory as set in container.Config.WorkingDir

-func (container *Container) SetupWorkingDirectory(rootIDs idtools.IDPair) error {

+func (container *Container) SetupWorkingDirectory(rootIdentity idtools.Identity) error {

 	// TODO @jhowardmsft, @gupta-ak LCOW Support. This will need revisiting.

 	// We will need to do remote filesystem operations here.

 	if container.OS != runtime.GOOS {

@@ -271,7 +271,7 @@ func (container *Container) SetupWorkingDirectory(rootIDs idtools.IDPair) error

 		return err

 	}

-	if err := idtools.MkdirAllAndChownNew(pth, 0755, rootIDs); err != nil {

+	if err := idtools.MkdirAllAndChownNew(pth, 0755, rootIdentity); err != nil {

 		pthInfo, err2 := os.Stat(pth)

 		if err2 == nil && pthInfo != nil && !pthInfo.IsDir() {

 			return errors.Errorf("Cannot mkdir: %s is not a directory", container.Config.WorkingDir)

@@ -9,7 +9,7 @@ import (

 func (daemon *Daemon) defaultTarCopyOptions(noOverwriteDirNonDir bool) *archive.TarOptions {

 	return &archive.TarOptions{

 		NoOverwriteDirNonDir: noOverwriteDirNonDir,

-		UIDMaps:              daemon.idMappings.UIDs(),

-		GIDMaps:              daemon.idMappings.GIDs(),

+		UIDMaps:              daemon.idMapping.UIDs(),

+		GIDMaps:              daemon.idMapping.GIDs(),

 	}

 }

@@ -18,8 +18,10 @@ func (daemon *Daemon) tarCopyOptions(container *container.Container, noOverwrite

 		return nil, err

 	}

+	identity := idtools.Identity{UID: user.Uid, GID: user.Gid}

+

 	return &archive.TarOptions{

 		NoOverwriteDirNonDir: noOverwriteDirNonDir,

-		ChownOpts:            &idtools.IDPair{UID: user.Uid, GID: user.Gid},

+		ChownOpts:            &identity,

 	}, nil

 }

@@ -132,7 +132,7 @@ func (daemon *Daemon) setupIpcDirs(c *container.Container) error {

 		fallthrough

 	case ipcMode.IsShareable():

-		rootIDs := daemon.idMappings.RootPair()

+		rootIDs := daemon.idMapping.RootPair()

 		if !c.HasMountFor("/dev/shm") {

 			shmPath, err := c.ShmResourcePath()

 			if err != nil {

@@ -179,7 +179,7 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {

 	}

 	// retrieve possible remapped range start for root UID, GID

-	rootIDs := daemon.idMappings.RootPair()

+	rootIDs := daemon.idMapping.RootPair()

 	for _, s := range c.SecretReferences {

 		// TODO (ehazlett): use type switch when more are supported

@@ -278,7 +278,7 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {

 // In practice this is using a tmpfs mount and is used for both "configs" and "secrets"

 func (daemon *Daemon) createSecretsDir(c *container.Container) error {

 	// retrieve possible remapped range start for root UID, GID

-	rootIDs := daemon.idMappings.RootPair()

+	rootIDs := daemon.idMapping.RootPair()

 	dir, err := c.SecretMountPath()

 	if err != nil {

 		return errors.Wrap(err, "error getting container secrets dir")

@@ -304,7 +304,7 @@ func (daemon *Daemon) remountSecretDir(c *container.Container) error {

 	if err := label.Relabel(dir, c.MountLabel, false); err != nil {

 		logrus.WithError(err).WithField("dir", dir).Warn("Error while attempting to set selinux label")

 	}

-	rootIDs := daemon.idMappings.RootPair()

+	rootIDs := daemon.idMapping.RootPair()

 	tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootIDs.UID, rootIDs.GID)

 	// remount secrets ro

@@ -407,5 +407,5 @@ func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error {

 	if err != nil {

 		return err

 	}

-	return idtools.MkdirAllAndChown(p, 0700, daemon.idMappings.RootPair())

+	return idtools.MkdirAllAndChown(p, 0700, daemon.idMapping.RootPair())

 }

@@ -155,13 +155,14 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (

 	}

 	// Set RWLayer for container after mount labels have been set

-	rwLayer, err := daemon.imageService.CreateLayer(container, setupInitLayer(daemon.idMappings))

+	rwLayer, err := daemon.imageService.CreateLayer(container, setupInitLayer(daemon.idMapping))

 	if err != nil {

 		return nil, errdefs.System(err)

 	}

 	container.RWLayer = rwLayer

-	rootIDs := daemon.idMappings.RootPair()

+	rootIDs := daemon.idMapping.RootPair()

+

 	if err := idtools.MkdirAndChown(container.Root, 0700, rootIDs); err != nil {

 		return nil, err

 	}

@@ -25,7 +25,7 @@ func (daemon *Daemon) createContainerOSSpecificSettings(container *container.Con

 	}

 	defer daemon.Unmount(container)

-	rootIDs := daemon.idMappings.RootPair()

+	rootIDs := daemon.idMapping.RootPair()

 	if err := container.SetupWorkingDirectory(rootIDs); err != nil {

 		return err

 	}

@@ -87,7 +87,7 @@ type Daemon struct {

 	seccompEnabled    bool

 	apparmorEnabled   bool

 	shutdown          bool

-	idMappings        *idtools.IDMappings

+	idMapping         *idtools.IdentityMapping

 	// TODO: move graphDrivers field to an InfoService

 	graphDrivers map[string]string // By operating system

@@ -594,11 +594,11 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe

 		return nil, err

 	}

-	idMappings, err := setupRemappedRoot(config)

+	idMapping, err := setupRemappedRoot(config)

 	if err != nil {

 		return nil, err

 	}

-	rootIDs := idMappings.RootPair()

+	rootIDs := idMapping.RootPair()

 	if err := setupDaemonProcess(config); err != nil {

 		return nil, err

 	}

@@ -749,7 +749,7 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe

 			MetadataStorePathTemplate: filepath.Join(config.Root, "image", "%s", "layerdb"),

 			GraphDriver:               gd,

 			GraphDriverOptions:        config.GraphOptions,

-			IDMappings:                idMappings,

+			IDMapping:                 idMapping,

 			PluginGetter:              d.PluginStore,

 			ExperimentalEnabled:       config.Experimental,

 			OS:                        operatingSystem,

@@ -856,7 +856,7 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe

 	d.EventsService = events.New()

 	d.root = config.Root

-	d.idMappings = idMappings

+	d.idMapping = idMapping

 	d.seccompEnabled = sysInfo.Seccomp

 	d.apparmorEnabled = sysInfo.AppArmor

@@ -1106,7 +1106,7 @@ func (daemon *Daemon) Subnets() ([]net.IPNet, []net.IPNet) {

 // prepareTempDir prepares and returns the default directory to use

 // for temporary files.

 // If it doesn't exist, it is created. If it exists, its content is removed.

-func prepareTempDir(rootDir string, rootIDs idtools.IDPair) (string, error) {

+func prepareTempDir(rootDir string, rootIdentity idtools.Identity) (string, error) {

 	var tmpDir string

 	if tmpDir = os.Getenv("DOCKER_TMPDIR"); tmpDir == "" {

 		tmpDir = filepath.Join(rootDir, "tmp")

@@ -1126,7 +1126,7 @@ func prepareTempDir(rootDir string, rootIDs idtools.IDPair) (string, error) {

 	}

 	// We don't remove the content of tmpdir if it's not the default,

 	// it may hold things that do not belong to us.

-	return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, rootIDs)

+	return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, rootIdentity)

 }

 func (daemon *Daemon) setGenericResources(conf *config.Config) error {

@@ -1274,11 +1274,11 @@ func CreateDaemonRoot(config *config.Config) error {

 		}

 	}

-	idMappings, err := setupRemappedRoot(config)

+	idMapping, err := setupRemappedRoot(config)

 	if err != nil {

 		return err

 	}

-	return setupDaemonRoot(config, realRoot, idMappings.RootPair())

+	return setupDaemonRoot(config, realRoot, idMapping.RootPair())

 }

 // checkpointAndSave grabs a container lock to safely call container.CheckpointTo

@@ -1304,9 +1304,9 @@ func (daemon *Daemon) GetAttachmentStore() *network.AttachmentStore {

 	return &daemon.attachmentStore

 }

-// IDMappings returns uid/gid mappings for the builder

-func (daemon *Daemon) IDMappings() *idtools.IDMappings {

-	return daemon.idMappings

+// IdentityMapping returns uid/gid mapping or a SID (in the case of Windows) for the builder

+func (daemon *Daemon) IdentityMapping() *idtools.IdentityMapping {

+	return daemon.idMapping

 }

 // ImageService returns the Daemon's ImageService

@@ -124,7 +124,7 @@ func TestTmpfsDevShmSizeOverride(t *testing.T) {

 	mnt := "/dev/shm"

 	d := Daemon{

-		idMappings: &idtools.IDMappings{},

+		idMapping: &idtools.IdentityMapping{},

 	}

 	c := &container.Container{

 		HostConfig: &containertypes.HostConfig{

@@ -118,7 +118,7 @@ func initDaemonWithVolumeStore(tmp string) (*Daemon, error) {

 		repository: tmp,

 		root:       tmp,

 	}

-	daemon.volumes, err = volumesservice.NewVolumeService(tmp, nil, idtools.IDPair{UID: 0, GID: 0}, daemon)

+	daemon.volumes, err = volumesservice.NewVolumeService(tmp, nil, idtools.Identity{UID: 0, GID: 0}, daemon)

 	if err != nil {

 		return nil, err

 	}

@@ -1003,9 +1003,9 @@ func removeDefaultBridgeInterface() {

 	}

 }

-func setupInitLayer(idMappings *idtools.IDMappings) func(containerfs.ContainerFS) error {

+func setupInitLayer(idMapping *idtools.IdentityMapping) func(containerfs.ContainerFS) error {

 	return func(initPath containerfs.ContainerFS) error {

-		return initlayer.Setup(initPath, idMappings.RootPair())

+		return initlayer.Setup(initPath, idMapping.RootPair())

 	}