lookups in smbpasswd file
benny at HGS.SE
Wed Mar 4 20:58:48 GMT 1998
On Thu, 5 Mar 1998, Jim Farrell wrote:
> On Thu, 5 Mar 1998, Jeremy Allison wrote:
> > Gerald W. Carter wrote:
> > >
> > > If this is a limitation, a possible solution would be to keep the
> > > standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag
> > > files ) similiar to NIS maps. Smbpasswd could be modified to interface
> > > directly iwith the DBM files. Also add an option to dump the map to a
> > > flat ASCII file.
> > That's a very good idea, and one I've been wanting
> > to do for a while. Issues you will need to consider :
> > 1). Concurrent updates - as I recall, most dbm hash
> > libraries don't allow record locking for concurrent
> > updates. smbpasswd will need this I think.
I'm not sure about other implementations but GNU dbm locks the whole file
during read-write access which is probably enough. A few retries with random
delay would probably make is reasonably solid.
> Something like NIS lookups would be nice ... however plain old NIS has no
> protections, so those smb passwords would be easily accessible. NIS+
> might work out better, but could turn out to be just as bad if NIS
> compatibility were on and ill configured.
Even in compat mode the access rights of a NIS+ table is in use. This means
that you can have the hashed password fields non-readable for unauthenticated
principals. The result when doing a plain NISv2 lookup would be *NP* in the
password fields. So it all comes down to setting the access bits strict enough
which is no different from having it in a plain file.
Benny Holmgren email: benny at hgs.se
University College of Gavle/Sandviken. phone: +46-(0)26-648887
Sweden mobile: +46-(0)70-6338298
More information about the samba-ntdom