Inoltra: Re: Why machines in passwd anyway? [was Re: NT machine accounts in FreeBSD?]
Simo Sorce
sorce at mail.polimi.it
Mon Aug 14 16:19:15 GMT 2000
Quota Peter Samuelson <peter at cadcamlab.org>:
>
> [Simo Sorce <simo.sorce at polimi.it>]
> > So we need a centralized point to store NT
users/machines, rihgt?
> > what about smbpasswd/ldap?
>
> My point exactly. The way I interpret Elrond's
response: "fine, sounds
> good, where's your patch?" In other words, it's not
worth changing
> unless someone volunteers....
>
> > Do we really need a Unix user for trust-accounts?
> > Do anything related to trust account need a Unix
user?
>
> No, but from the NT perspective, a list of users is
expected to include
> all the trust accounts. That means the Samba function
for enumerating
> users needs to enumerate trust accounts as well.
>
> Here's my ideal world:
>
> * "encryption = no" --> this means there are no trust
accounts to worry
> about. Keep the status quo, use libc/NSS, pull RIDs
out of thin air.
>
> * "encryption = yes" --> look up the main structure in
smbpasswd. This
> structure includes a RID assigned (randomly or
algorithmicly) by the
> `smbpasswd' program when the entry was created.
>
> * user enumeration is done entirely from smbpasswd (or
its replacements
> like ldap). This may get a little messy when the
client wants to
> know about home directories and you're feeding them
from NIS+, but by
> that time you aren't talking about trust accounts
anyway.
>
> * anyone who needs the UID uses a separate lookup
function sid2uid or
> whatever (I think this part is already in place,
actually) and only
> *then* do you bother with
> - username map
> - getpwnam and friends
> - groups
> Then this information is cached by the sid2uid
function somehow.
>
> I think, on the whole, this would be more efficient as
well as
> eliminate the pesky machine$-in-/etc/passwd problem.
>
> Unfortunately it also means a fair amount of coding,
in what some
> consider the armpit of the Samba source, passdb/*.
Coding by someone
> who cares enough about this stuff to do it. Which
Elrond doesn't,
> because he has more important things to do to help
stabilize Samba.
> (After all, the status quo *does* work, it's just a
little annoying for
> the administrator.)
>
> Peter
>
OK, here is my patch to strip out workstation accounts
from passwd.
It, works for me (Linux-Samba PDC <-> NT4-SP5)
Anyone want to test it??
Feedback, really welcome!
Simo.
Sorry missed to write the link :P
http://www.geocities.org/SiliconValley/9757/samba-patch.html
--
Simo Sorce - Integrazione Sistemi Unix/Windows -
Politecnico di Milano
E-mail: simo.sorce at polimi.it
Tel.int: 02 2399 2425 - Fax.int. 02 2399 2451
-----------------------------------------------------------------
Be happy, use Linux!
----- Fine messaggio inoltrato -----
More information about the samba-ntdom
mailing list