CVS update: samba/source

Luke Kenneth Casson Leighton lkcl at switchboard.net
Sat Mar 28 15:36:41 GMT 1998 

On Thu, 26 Mar 1998, Jeremy Allison wrote:

> Jean-Francois Micouleau wrote:
> > 
> > On Thu, 26 Mar 1998, Luke Kenneth Casson Leighton wrote:
> > 
> > > workstation should be the default.  server is reserved, i believe, for
> > > Backup Domain Controllers.  the majority of machines are going to be
> > > ordinary workstations (ACB_WKSTRUST).
> > 
> > Servers ? I think there are BDC, file servers, and trust relationships ?
> > 
> 
> Luke, you are correct. Sorry for that bug. I will remove 
> the code in the new smbpasswd that allows selection of 
> ACB_SVRTRUST and replace it with ACB_WSTRUST.

jf, fyi: BDC = ACBSRVTRUST; file servers == NT workstations AND,
importantly, standalone NT servers = ACB_WKSTRUST; trust relationships =
ACBDOMTRUST.

> > 
> > I think it's time to split the smbpasswd file for users and machines and
> > make two distinct files.
> > 
> 
> Well I had a long discussion with Andrew about this.
> 
> We came to the conclusion that we can't do this yet (even
> though I originally wanted to).
> 
> The reason is that NT machines enumerating accounts
> expect to see machine accounts as well as user accounts.
> 
> It would complicate things somewhat if we had a separate
> machine account file - a lot of the security code would
> get more complicated. I'd like to revisit doing this
> a little later, but for now it's much more convenient
> to leave the machine accounts in the smbpasswd file.


i am relieved to hear this.  you know it's my opiniopon that the best
place for the machine accounts is in the same place as the user accounts:
the reason is that they have their own  NT user RID, just like any other
user.

> 
> > (have to check the code) but if you create uid for machines, people will
> > tend to be lost.
> > 
> 
if people don't like this concept, then too bad, to be honest: they'll
have to get used to it.  NIS+ has such a concept (each workstation has its
own ID).   NT treats workstations as users; therefore _we_ have to treat
workstations as users.
 
> Right now my 'new machine' code starts counting down
> from MAX(((unsigned)(sizeof(uid_t))/2 - 1) (to get around 
> signed/unsigned issues) and so shouldn't overlap with allocated 
> unix uid's. Another big question - do we want to insist
> that machine accounts have matching UNIX accounts (I'd
> like to - as I trust the unix account database method
> much more than the NT one) - what do people think ?

i would recomm all trust accounts end mapping to the samba "guest" account
unix uid.  however, you still need an NT user RID which is unique. 

 
> > > don't forget that we really actually need to add two more fields: a user
> > > RID and a Primary Group RID, in _addition_ to the unix uid in the
> > > smbpasswd file.
> > >
> 
> Nope I disagree with this. We just need a mapping function
> from unix uid to NT RID, and the primary group rid should
> be handled by mapping the unix primary gid to an NT RID.

so what to do with when you need to enumerate users by RID, and those
users are workstation trust accounts that all map, under your propposed
system, to the same NT RID (you must make unique NT user RIDs, but we
don't care about the unix uid except from the unix side).

also, what happens when you use the "map username" function?  again, you
must be able to enumerate each of these users uniquely by NT RID, but
again, you don'tcare about the unix uid except from the point of view of
being able to setuid/setgid the smbd process?

trust me: the vuser structure will _need_ two additional fields: 
nt_user_rid and nt_group_rid, sitting alongside the unix_uid and unix_gid
fields.  the nt_user_rid must be unique; the unix_uid field need not
necessarily be so. 

> > if these are not added, then by default there should exist a"unix
> > > uid/gid" <-> "NT user RID / group RID" function, which we have already
> > > agreed should be based on the NT Posix mapping system (NT User RID = unix
> > > uid + 0x100000; NT Group RID = unix gid + 0x200000" i think).
> > 
> 
> We should use the softway OpenNT system. The only
> problem is on unix's where sizeof(uid_t) == 2 - which
> is lots of them I think. We really need a 32 bit RID
> type.

that's no problem if you have the nt_user_rid (32 bit) sitting alongside
the unix uid (sizeof(uit_t) == 2/4 - doesn't matter).

so, yes: you need a 32 bit RID, but for to deal with the problems outlined
above, you will need it to be separate from the unix uid

 
> > There is something else with groups while we are at it.
> > 
> > In english version of NT: Domain admins group
> > In french version: Administrateurs du domaine.
> > 
> > We will need a new small text file a la username mapping, to map the
> > domain group RID to the corresponding name
> > 
> 
> Why can't we use the unix /etc/group file for this (although
> in practice I think you're probably right - we need one to
> map stuff like 'Administrators' -> 'wheel' etc). ?

well, we use "map username = "... for users; there should equally be a
"map groupname" parameter to deal with exactly the same issues that are
dealt with on the user side by "map username".

luke

More information about the samba-technical mailing list