lookups in smbpasswd file

Benny Holmgren benny at HGS.SE
Wed Mar 4 20:58:48 GMT 1998

On Thu, 5 Mar 1998, Jim Farrell wrote:

> On Thu, 5 Mar 1998, Jeremy Allison wrote:
> > Gerald W. Carter wrote:
> > > 
> > > If this is a limitation, a possible solution would be to keep the
> > > standard smbpasswd file  but translate it to a DBM hash ( *.dir & *.pag
> > > files ) similiar to NIS maps.  Smbpasswd could be modified to interface
> > > directly iwith the DBM files.  Also add an option to dump the map to a
> > > flat ASCII file.
> > 
> > That's a very good idea, and one I've been wanting
> > to do for a while. Issues you will need to consider :
> > 
> > 1). Concurrent updates - as I recall, most dbm hash
> > libraries don't allow record locking for concurrent
> > updates. smbpasswd will need this I think.

I'm not sure about other implementations but GNU dbm locks the whole file
during read-write access which is probably enough. A few retries with random
delay would probably make is reasonably solid.

> Something like NIS lookups would be nice ... however plain old NIS has no 
> protections, so those smb passwords would be easily accessible.  NIS+ 
> might work out better, but could turn out to be just as bad if NIS 
> compatibility were on and ill configured.

Even in compat mode the access rights of a NIS+ table is in use. This means
that you can have the hashed password fields non-readable for unauthenticated
principals. The result when doing a plain NISv2 lookup would be *NP* in the
password fields. So it all comes down to setting the access bits strict enough
which is no different from having it in a plain file.


Benny Holmgren                                      email: benny at hgs.se
University College of Gavle/Sandviken.          phone: +46-(0)26-648887
Sweden                                        mobile: +46-(0)70-6338298

More information about the samba-ntdom mailing list