*            of a domain controller however a member server will work as well and a domain controller may not
     *            return names for SIDs corresponding to local accounts for which the domain controller is not an
     *            authority.
     * @param tc
     *            The context that should be used to communicate with the named server.
     * @param sids

	if owner && !globalAPIConfig.permitRootAccess() {
		// We disable root access and its service accounts if asked for.
		return cred, owner, ErrAccessKeyDisabled
	}

	if _, ok := claims[policy.SessionPolicyName]; ok {
		owner = false
	}

	return cred, owner, ErrNone
}

	cred, err := auth.GetNewCredentialsWithMetadata(claims, globalActiveCred.SecretKey)
	if err != nil {
		return nil, err
	}

	// Set the parent of the temporary access key, this is useful
	// in obtaining service accounts by this cred.
	cred.ParentUser = lookupResult.NormDN

	// Set this value to LDAP groups, LDAP user can be part
	// of large number of groups
	cred.Groups = targetGroups

/**
 * Internal representation of SIDs
 *
 * A Windows SID is a numeric identifier used to represent Windows
 * accounts. SIDs are commonly represented using a textual format such as
 * {@code S-1-5-21-1496946806-2192648263-3843101252-1029} but they may
 * also be resolved to yield the name of the associated Windows account
 * such as {@code Administrators} or {@code MYDOM\alice}.
 * <p>

    /** Account control bit flag: Normal user account */
    public static final int ACB_NORMAL = 16;
    /** Account control bit flag: MNS logon user account */
    public static final int ACB_MNS = 32;
    /** Account control bit flag: Interdomain trust account */
    public static final int ACB_DOMTRUST = 64;
    /** Account control bit flag: Workstation trust account */
    public static final int ACB_WSTRUST = 128;

    /** Account control bit flag: Normal user account */
    public static final int ACB_NORMAL = 16;
    /** Account control bit flag: MNS logon user account */
    public static final int ACB_MNS = 32;
    /** Account control bit flag: Interdomain trust account */
    public static final int ACB_DOMTRUST = 64;
    /** Account control bit flag: Workstation trust account */
    public static final int ACB_WSTRUST = 128;

        int bytesWritten = transaction.writeParameterWordsWireFormat(dst, 0);

        // Verify setup count is written correctly
        assertEquals(3, dst[35]);

        // Verify the total bytes written accounts for setup words
        assertTrue(bytesWritten >= 38 + 6); // Base structure + setup words
    }

    @Test
    @DisplayName("Test writeParameterWordsWireFormat returns correct byte count")

	// policies and any (LDAP user created) service accounts on the other
	// peer clusters, and if so, reject the cluster replicate add request.
	// This is not yet implemented.

	// VALIDATIONS COMPLETE.

	// Create a common service account for all clusters, with root
	// permissions.

	// Create a local service account.

	// Generate a secret key for the service account if not created already.
	var secretKey string

	if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
		nsecret, err := getTokenSigningKey()
		if err != nil {
			return nil, toAPIErrorCode(r.Context(), err)
		}
		// sign root's temporary accounts also with site replicator creds
		if cred.ParentUser != globalActiveCred.AccessKey || cred.IsTemp() {
			secret = nsecret
		}
	}
	if cred.IsServiceAccount() {
		token = cred.SessionToken

	}

	if tables, err := DB.Migrator().GetTables(); err != nil {
		t.Fatalf("Failed to get database all tables, but got error %v", err)
	} else {
		for _, t1 := range []string{"users", "accounts", "pets", "companies", "toys", "languages", "tools"} {
			hasTable := false
			for _, t2 := range tables {
				if t2 == t1 {
					hasTable = true
					break
				}
			}
			if !hasTable {