Progress Report: Follow up

Dan Kaminsky effugas at
Mon Mar 1 03:42:20 GMT 1999

>Dan Kaminsky:
>> > ... password changing works for us ... [ Ref byte ordering ]
>> How is stability/reliability compared to the pre-existing NT solution?
>I'm unsure to what you're referring to. Previously when I was testing
>samba, we couldn't change passwords because [among others] new_passwd
>in check_oem_password was decoded to be a string of zeros, but I guess
>it was a string of stable zeros =)

What I meant was, I presume your installation had a real NT PDC doing all
these duties.  How much was reliability/stability affected by the switch to
your new system?

>In our case we're lucky because the 'alternative' labs are on a
>different subnet, thus the symlink can be generated with a statement
>like 'root preexec = newmach %I %m', where 'newmach' is a script which
>looks at the IP address (%I), determines which subnet its on, then
>creates the symlink on behalf of the machine (%m). Good place for
>this would be the netlogon share.

This is brilliant.  A hack, mind you, but brilliant nonetheless.  I can see
*many* applications of the pre-exec method...anything you want to use as a
primary key instantly "just works", since you can feed them into a database
and have the appropriate %l or %m script set.


>This solution has two benifits worth mentioning, the new password is
>read in from stdin and not from an argument, then hashed, then forwarded
>to ypserv to inform the server what unix crypt string to throw into
>the user's passwd entry, rather than get the server to do the cryption.


>Luke Kenneth Casson Leighton:
>> > I've been ... implement[ing] a mysql database for passdb ...

>I'm also kind of shy to publish my own code, so be gentle =)

You've done the initial work on a major area of future development for
Samba.  Don't be shy, be proud :-)

>> actually we found that with some unixen the speed was limited by getpwnam
>> calls not by private/smbpasswd, which is a bit wierd.
>The bold solution to that would be to add fields to smbpasswd so as
>that it could totally replace getpwnam calls?

I think a good deal of other code depends on users actually existing.

>Has the added benifit that you wont need the people to actually exist
>on the unix box, just requires access to the user filesystem.
>Ciao, semester starts tomorrow and I'm actually doing subjects too,
>plus my timetable sucks (just thought I'd add that for the record).

Are you a teacher or a student?

More information about the samba-technical mailing list