FW: Speed comp. TNG & 2.2.alpha (fwd)

Andrew Bartlett abartlet at pcug.org.au
Thu Mar 1 09:19:46 GMT 2001 

Peter Samuelson wrote:
> 
> [Andrew Bartlett]
> > The way to tell if a group is a private group is fairly simple - a
> > simple getgrnam call tells you if there are any non-primary members
> 
> Are you sure?  The man page on my system does not actually say that.
> Sure, the usual Unix implementation of getgrnam() only reads /etc/group
> and not /etc/passwd, but thanks to NSS, many people do not use the
> usual Unix implementation of getgrnam() anymore.

I'm not entirely sure what you are saying, but if the getgrnam call
returns the user we think is the owner of that group can't we just
disregard it?  How is that different to it telling us that there are no
non-primary members except that we can then be configured to not need
the next test? 

> 
> Also consider AIX: the 'mkuser' utility automatically puts you in
> /etc/group.  (I know this because I had to debug it once: I was
> creating hundreds of users from a script, and managed to exceed the
> line length limit of some tool that reads /etc/group.)

I suppose Samba-TNG requiring massive amounts of memory every time it
calls getgrnam could be a problem - but this would happen anyway - if we
ever call getgrnam that is (wouldn't it?).  (I think thats what you were
referring to?)

> 
> > A final check would be if no other users have this as their primary
> > gid.
> 
> So you have to iterate through getpwent() every time?  Bad.  Remember,
> systems like NIS are optimized for getpwnam() -- it is *much* more
> efficient than a loop through getpwent().  (Granted, with a local
> /etc/passwd file they are equivalent.)

If they are costly then allow them to be disabled - the odds of a group,
which is the primary group of a user, and possibly sharing the same
number for its uid/gid is IMHO pretty small, particularly if the admin
is made aware of the consequences.  If the admin wants the extra check,
the admin can chose the paranoia check.

> 
> > In any case, it would be good to get a list of all groups on a system
> > and not see all the private groups setup for each individual user
> > when all I want to see is admins, staff and students - if you see
> > what I mean.
> 
> Here's another way to attack the problem.  Samba could have a magic NT
> group name (say 'nogroup') defined to be invisible to clients, and a
> syntax for a wildcard Unix group name in your group map file.
> 
> Peter

It just sounds like work.  If at all possible, I see no reason to impose
the private groups hack on a system that has no need for it -
particularly when it gets in the way of a flat namespace.  But as I am
unlikely to be able to actually write the code to do it, this is most
likely the proverbial hot air.

-- 
Andrew Bartlett
abartlet at pcug.org.au

More information about the samba-ntdom mailing list