password API needed

Luke Kenneth Casson Leighton lkcl at cb1.com
Tue May 12 11:37:47 GMT 1998 

ok, short (1/2 hour) brainstorm yesterday with jeremy came up with some
ideas on the password database system.

jeremy doesn't want any new fields added to struct smb_pass, particularly
those that will not be relevant to unix-side-only code (e.g "full name",
"workstations" etc).

this reflects NT's generation of "info levels", namely that you can obtain
frequently used important information (username / pass) in one structure,
and ask for larger and larger structures as the info level increases.

so, i created sam_passwd, which contains _all_ NT SAM fields, and left
smb_passwd alone.

now there are two database systems: private/smbpasswd (smbpass.c) and LDAP
(ldap.c) which are brought together in a single api (passdb.c).  smbpass.c
only supports the fields listed in struct smb_passwd, of which there are
only 5 or so; ldap.c (as it is under development) will support all the
fields listed in struct sam_passwd.

so, in the spirit of leaving private/smbpasswd alone, and not extending
it, jeremy suggested creating a private/sampasswd file which contains all
the missing NT SAM fields.

not only that, but both jean-francois and jeremy also suggested that if
fields are missing (NULL) in either the private/sampasswd file or the LDAP
database, that the default option from smb.conf is read.  currently, this
only means:

- lp_homedir()
- lp_logon_script()
- lp_profile_path()
- lp_homedrive()

now, this is where there is a slight amount of contention.  i want(ed) to
add lp_workstations(); lp_logon_hours(); lp_kickoff_time(); 
lp_dialup_info() etc, and jeremy went "argh" and jean-francois went
"argh".  jeremy went "argh" because he didn't want extraneous parameters,
and jean-francois went "argh" because i suggested doing
include=smb.conf.%U and putting "workstations = WKS1 WKS2 ..." in a
smb.conf.USERNAME file, but this was only as an example: you can also do
include=smb.conf.%G (where G is substituted for the user's group) or you
can use the NIS netgroup or whatever.  jean-francois thought that i was
suggesting the creation of 2,000 smb.conf.USERNAME files: one per user.

_or_ you could do "workstations = %<x>" where %<x> is the substitution
parameter for a NIS netgroup of workstations (i think unfortunately,
though, that NT limits the number to 8 workstations: i'd be interested to
see what happens if you put more...) 

i _still_ want to add the above-named parameters, particularly in light of
the fact that they will only be used as fall-back parameters when either
private/sampasswd or the LDAP database field for that parameter is blank. 

also, i would like to see swat or some other config tool be able to
generate a full set of NT SAM fields in whatever password database is
used.



summary:

- create a private/sampasswd file to work alongside private/smbpasswd and
  provide the full set of NT SAM fields

- a blank field in private/sampasswd or the LDAP database means "fall back
  to a default value in smb.conf".

- add new smb.conf parameters to offer the above-mentioned "default value"
  support for the full set of NT SAM fields.

- configuration tools to create private/sampasswd entries or LDAP database
  entries _from_ the full set of SAM smb.conf options, so that those
  parameters are effectively cached and accessed far quicker.

comments, anyone?

More information about the samba-ntdom mailing list