Passdb and smbpasswd (following discussion in TODO list thread)
gcarter at valinux.com
Wed Oct 4 04:23:28 GMT 2000
Simo Sorce wrote:
> As not all the OS have PAM and not all want to
> use LDAP I want to address the current way information
> are stored on smbpasswd file.
> What I found annoyng in smbpasswd file structure is:
> 1. The need to store workstation accounts in system passwd.
ok. this is a good discussion actually. This issues
really links into #2.
> This is annoying as force the administrator to change custom
> scripts to deal with this entrys in passwd, and as samba does
> not need to perform any operation under the uid of wks account
> their presence in passwd is totally useless (and unelegant).
This is the arguement for storing machine trust accounts
The UNIX list of accounts is authoritative. Therefore
the dynamic generation of RIDs, as is done currently,
requires an assigned uid for an account.
New developments which may help povide some resolution
to this problem.
Winbind dynamically allocates uid from a defined
range (specified in smb.conf) and store the RID<->uid
mapping in an internal TDB. Could provide for the
same thing in relation to Workstation accounts?
> 2. The fact that RIDs are not stored anywhere
> Storing RIDs on smbpasswd may allow an easyer
> migration path from existing NT domains and allow
> admins to set particular RIDs if needed.
I would prefer the TDB solution used in winbind rather
than to hack smbpasswd some more. Which I might add
may need to be replaced with another backend in order to
support PDC functionality (store user authorization data).
If you want to run a Samba PDC, you would have to use
the new TDB passwd backend (or another one that supported
storing the necessary user attributes). If you only need
a simple file and print server, keep the smbpasswd file.
This also gives us the ability for incremental RID
allocation. The domain more security could be expanded
to use the winbind method as well.
Tim, If we have a Samba PDC and want to use winbind
for PAMified applications, how hard would it be to
design a TDB used by both Samba and Winbind for
storing user UID/RID mappings.
> 3. Trusting ACB bits User or Group belongings may
> be discovered and also Workstation accounts
> may be recognized.
> I made such a patch for samba 2.0.7 version.
> The patch avoided the need to store workstation
> accounts in passwd and also placed the RID field in
> smbpasswd file. If you think this may fit in samba I may
> change the patch to samba 2.2 or HEAD as you wish.
I would opt for the TDB solution as we need many
more user attributes stored than smbpasswd is able
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com VA Linux Systems gcarter at valinux.com
http://www.samba.org SAMBA Team jerry at samba.org
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
More information about the samba-technical