Progress Report: Follow up
Dan Kaminsky
effugas at best.com
Mon Mar 1 03:42:20 GMT 1999
>Dan Kaminsky:
>> > ... password changing works for us ... [ Ref byte ordering ]
>> How is stability/reliability compared to the pre-existing NT solution?
>
>I'm unsure to what you're referring to. Previously when I was testing
>samba, we couldn't change passwords because [among others] new_passwd
>in check_oem_password was decoded to be a string of zeros, but I guess
>it was a string of stable zeros =)
What I meant was, I presume your installation had a real NT PDC doing all
these duties. How much was reliability/stability affected by the switch to
your new system?
>In our case we're lucky because the 'alternative' labs are on a
>different subnet, thus the symlink can be generated with a statement
>like 'root preexec = newmach %I %m', where 'newmach' is a script which
>looks at the IP address (%I), determines which subnet its on, then
>creates the symlink on behalf of the machine (%m). Good place for
>this would be the netlogon share.
This is brilliant. A hack, mind you, but brilliant nonetheless. I can see
*many* applications of the pre-exec method...anything you want to use as a
primary key instantly "just works", since you can feed them into a database
and have the appropriate %l or %m script set.
Wow.
>This solution has two benifits worth mentioning, the new password is
>read in from stdin and not from an argument, then hashed, then forwarded
>to ypserv to inform the server what unix crypt string to throw into
>the user's passwd entry, rather than get the server to do the cryption.
Nice.
>Luke Kenneth Casson Leighton:
>> > I've been ... implement[ing] a mysql database for passdb ...
>I'm also kind of shy to publish my own code, so be gentle =)
You've done the initial work on a major area of future development for
Samba. Don't be shy, be proud :-)
>> actually we found that with some unixen the speed was limited by getpwnam
>> calls not by private/smbpasswd, which is a bit wierd.
>
>The bold solution to that would be to add fields to smbpasswd so as
>that it could totally replace getpwnam calls?
I think a good deal of other code depends on users actually existing.
>Has the added benifit that you wont need the people to actually exist
>on the unix box, just requires access to the user filesystem.
>
>Ciao, semester starts tomorrow and I'm actually doing subjects too,
>plus my timetable sucks (just thought I'd add that for the record).
Are you a teacher or a student?
More information about the samba-technical
mailing list