PASSDB: local and domain accounts

Simo Sorce sorce at mail.polimi.it
Wed Nov 15 20:57:01 GMT 2000 

On Wed, 15 Nov 2000, Gerald Carter wrote:

> Simo Sorce wrote:
> >
> > > 4)
> > >   o NT as a BDC replicates the domain SAM into a
> > >     copy in the local sam
> > >
> > >   + Samba as a BDC should replicate the domain SAM
> > >     into a copy in the local passdb storage
> >
> > BDC as PDC has only one local db (replicated from
> > PDC) why you put it in "security = domain" section and
> > not in "security = user" section?
>
> A BDC should be configured by
>
> 	security = domain
> 	domain logons = yes
>
> You are in effect saying, I'm getting the accounts from
> a PDC.  And since I can authenticate domain logons, that
> should make be a BDC.  (Or we need to come up with a better
> way of defining behavior)
>
> The fact is that the BDC gets the entire SAM from
> the PDC and store a copy of it locally.
>
>

OK

> > > No you may be thinking to yourself, "but local
> > > Samba accounts already exist in /etc/passwd.  You can
> > > use those."  However, consider the unification of
>                                        ^^^^^^^^^^^
> Should be "synchronization"
>
> > > passwords.  What if the Samba lanman/nt password is
> > > different than /etc/passwd?  Also consider the case
> > > of uid allocation upon demand for creating new local
> > > accounts in samba.  These would never exist in
> > > /etc/passwd.  Only as a uid in a Samba TDB.
> >
> > Hey, wait!
> > You mean that local passdb and /etc/passwd will
> > be unallineated?
>
> ok.  Think for a second.  Have I ever advocated the removal
> of Samba's dependence on UNIX uids?  Nope.  :) btw...that
> proposal is being discussed on tng-technical right now
> if anyone is interested.

Excuse me, maybe I was not clear on this point.
Idon't know english as I wish :(

I know uids does not need to be present in passwd to be used (passwd and
the hole name mapping is only a user space thing, kernel and fs
understands only uid and gid...)
what I mean is that you should have system passwd and samba passwd always
in sync or user managment would be difficult.
seeing jerry or simo as file owner is clear but seeing 26503 and 25063
numeric uids is not!
:)

>
> > Generating local uid only in local passdb and not
> > in /etc/passwd may cause big troubles. How do you serve
> > files to users not present in /etc/passwd? what about
> > file permissions and ownership?
>
> You do not need an entry in /etc/passwd per say.  Rather
> just a uid.  Think about for a second.  Have you ever
> deleted an entry from /etc/passwd and later found files
> that only showed up a uid in the output from '/bin/ls -l'?
> Same principle.

See above.

> Take a look at the winbind implementation first.  Read the
> paper Tim and Andrew wrote on samba.org.  Winbindd allows
> you to define a range of uids and gids from which it can
> allocate as necessary for domain accounts.  This mapping
> is stored in a TDB.
>
> Since you as the sysadmin have defined the range to be used,
> the only way you can have a conflict with an entry in
> /etc/passwd is if you do it yourself.
>
> > What happen if a user created on /etc/passwd maps
> > to the same uid of an existent local passdb user will
> > the samba user be able to read /etc/passwd user files?
>
> See above comments.
>
> > I think that local passdb users should always be present
> > in local /etc/passwd (also through nis or other nss modules).
>
> If my explanation above doesn't convinve you of my intent,
> let me know and I'll try again.

probably we think the same thing but my english makes things difficult,
sorry :(

>
> > We should also define a configurable uid range to be
> > reserved on /etc/passwd to generate global users
> > mappings (for domain members) but I think
> > again nss_passdb+pam_winbind should be highly
> > recommended.
>
> Huh?  Winbindd does this now.  I don't see your point.
> You lost me. Sorry.

If I understand you propose to use winbind for domain users but not for
local (stored in passdb).
Also passdb stores users that does not exist on system and need free uid.
So a samba server that has local samba account + domain accounts from a
PDC should have a free range of uids for local passdb and another one for
domain users.


>
>
>
>
> Cheers, jerry
> ----------------------------------------------------------------------
>    /\  Gerald (Jerry) Carter                     Professional Services
>  \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
>        http://www.samba.org/       SAMBA Team          jerry at samba.org
>        http://www.plainjoe.org/                     jerry at plainjoe.org
>
>        "...a hundred billion castaways looking for a home."
>                                 - Sting "Message in a Bottle" ( 1979 )
>
>
>

-- 
Simo Sorce - Integrazione Sistemi Unix/Windows - Politecnico di Milano
E-mail: simo.sorce at polimi.it
Tel.int: 02 2399 2425 - Fax.int. 02 2399 2451
-----------------------------------------------------------------
Be happy, use Linux!

More information about the samba-technical mailing list