samba-tng-alpha-1.0.tar.gz
Luke Kenneth Casson Leighton
lkcl at samba.org
Sat Mar 18 00:57:27 GMT 2000
yeah, there is.
1) option 1 - use -DSMBPASSFILE
abandon the domain_namemap.c code and use the smbpassgroup code i started
writing as a replacement option for this.
what that does is it *doesn't* use the /etc/group entries *at all*.
the expected usage is to have scripts that take /etc/group and create
private/smbpassgroup and private/smbpassalias files.
_only_ when a user is added to an nt group or an nt alias will the
/etc/group file be checked, and names validated to ensure that they are
unique.
it's a lot of work: about three weeks full-time, at a guess.
2) option 2 - add checking into domain_namemap.c
verify that a name that maps to both a unix name _and_ a unix group, the
unix name takes precedence.
this is nasty as hell, because let's say someone tries to create a file
with a unix group root, are you going to reject the file create because
there is also a username root????
answer: YES! with a damn big warning in the log files saying hey, stupid,
map the unix group "root" to something that doesn't clash with the
username "root", because i said so, don't argue, just do it.
it increases the complexity of the already-over-complex domain_namemap.c
code.
how many times have i said i hate domain_namemap.c, alreeady?
:)
On Fri, 17 Mar 2000, Seth Vidal wrote:
> > michael! you are a star.
> >
> > ok, this is a known issue with the domain_namemap.c code.
> >
> > you _cannot_ have the same username as a groupname or vice-versa on the
> > unix side.
> >
> > if you do, the lookups from unix names to nt names will fail, because nt
> > namespace is expected to be unique, therefore login and access _will_ also
> > fail.
> >
> > nt namespace uses unique names amongst users, groups, aliases and domains.
> > a name is resolved to a SID _and_ a type, therefore must be unique in
> > order to do this.
> >
> > check your /etc/group and /etc/passwd: make sure that all non-unique names
> > are mapped to unique nt names, using the domain user/group/alias/builtin
> > map options.
> >
>
> This is going to hit A LOT of people - especially debian and redhat users.
> Redhat and debian setup usergroups by default (user and group name are the
> same and is the default group for the user) - this will mean A LOT of
> munging passwd and group files.
> is there anyway around this?
> ugh.
>
> -sv
>
>
<a href=" mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton </a>
<a href=" http://cb1.com/~lkcl" > Samba and Network Development </a>
<a href=" http://samba.org" > Samba Web site </a>
<a href=" http://mcp.com" > Macmillan Technical Publishing </a>
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals
More information about the samba-ntdom
mailing list