lookups in smbpasswd file

Roeland M.J. Meyer rmeyer at mhsc.com
Fri Mar 6 09:07:53 GMT 1998 

At 03:38 05-03-98 +1000, Jeremy Allison wrote:
>Gerald W. Carter wrote:
>> 
>> If this is a limitation, a possible solution would be to keep the
>> standard smbpasswd file  but translate it to a DBM hash ( *.dir & *.pag
>> files ) similiar to NIS maps.  Smbpasswd could be modified to interface
>> directly iwith the DBM files.  Also add an option to dump the map to a
>> flat ASCII file.
>> 
>
>That's a very good idea, and one I've been wanting
>to do for a while. Issues you will need to consider :
>
>1). Concurrent updates - as I recall, most dbm hash
>libraries don't allow record locking for concurrent
>updates. smbpasswd will need this I think.

Take a lesson from sendmail and the way it handle alias files. Update the
ASCII and have Samba detect the change and call the makemap program
internally. That way Samba can force any passwd look-up to wait while its
building the new files.

I'd also declare the hash-type in the smb.conf file, as well as, the
location/name. Some like 'has' and some like 'dbm'. But 'dbm'  isn't
universally supported by all Unices. This is also the way sendmail does
things. sendmail is a 'pile' but it has some good ideas in there.

>2). Transaction security - losing your password
>file due to a smbd/smbpasswd crash won't be popular.
>This may be solvable by keeping a ascii snapshot also
>but we should have some method of dealing with this.

With the method I outline (see above), you'll have both ASCII and DBM
types, and they'll be in sync.

>3). Setuid security. smbpasswd is a setuid root
>program - adding dbm libraries to it means that
>the dbm libraries must also pass the strict
>security requirements for such a program. Do they ?

sendmail v8.8.8 uses them and it also runs setuid root. I have the gdbm
libraries here.Other setuid programs use them as well.

>These problems are why I haven't done the code
>work yet, I don't have good answers to them.
>
>Just my 2 cents worth....

I'll raise you a wooden nickle <grin>

___________________________________________________
Roeland M.J. Meyer, ISOC (InterNIC RM993)
e-mail:		mailto:rmeyer at mhsc.com
Personalweb pages:	http://www.mhsc.com/~rmeyer
Company web-site:	http://www.mhsc.com/
___________________________________________
The web-server is finally fixed!

More information about the samba-ntdom mailing list