samba-tng-alpha-1.0.tar.gz

Luke Kenneth Casson Leighton lkcl at samba.org
Sat Mar 18 00:57:27 GMT 2000 

yeah, there is.

1) option 1 - use -DSMBPASSFILE

abandon the domain_namemap.c code and use the smbpassgroup code i started
writing as a replacement option for this.

what that does is it *doesn't* use the /etc/group entries *at all*.

the expected usage is to have scripts that take /etc/group and create
private/smbpassgroup and private/smbpassalias files.

_only_ when a user is added to an nt group or an nt alias will the
/etc/group file be checked, and names validated to ensure that they are
unique.

it's a lot of work: about three weeks full-time, at a guess.

2) option 2 - add checking into domain_namemap.c

verify that a name that maps to both a unix name _and_ a unix group, the
unix name takes precedence.

this is nasty as hell, because let's say someone tries to create a file
with a unix group root, are you going to reject the file create because
there is also a username root????

answer: YES!  with a damn big warning in the log files saying hey, stupid,
map the unix group "root" to something that doesn't clash with the
username "root", because i said so, don't argue, just do it.

it increases the complexity of the already-over-complex domain_namemap.c
code.

how many times have i said i hate domain_namemap.c, alreeady?

:)

On Fri, 17 Mar 2000, Seth Vidal wrote:

> > michael!  you are a star.
> > 
> > ok, this is a known issue with the domain_namemap.c code.
> > 
> > you _cannot_ have the same username as a groupname or vice-versa on the
> > unix side.
> > 
> > if you do, the lookups from unix names to nt names will fail, because nt
> > namespace is expected to be unique, therefore login and access _will_ also
> > fail.
> > 
> > nt namespace uses unique names amongst users, groups, aliases and domains.
> > a name is resolved to a SID _and_ a type, therefore must be unique in
> > order to do this.
> > 
> > check your /etc/group and /etc/passwd: make sure that all non-unique names
> > are mapped to unique nt names, using the domain user/group/alias/builtin
> > map options.
> > 
> 
> This is going to hit A LOT of people - especially debian and redhat users.
> Redhat and debian setup usergroups by default (user and group name are the
> same and is the default group for the user) - this will mean A LOT of
> munging passwd and group files.
> is there anyway around this?
> ugh.
> 
> -sv
> 
> 

<a href=" mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
<a href=" http://cb1.com/~lkcl"  > Samba and Network Development   </a>
<a href=" http://samba.org"      > Samba Web site                  </a>
<a href=" http://mcp.com"        > Macmillan Technical Publishing  </a>
 
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

More information about the samba-ntdom mailing list