Passdb and smbpasswd (following discussion in TODO list thread)

Gerald Carter gcarter at valinux.com
Wed Oct 4 04:23:28 GMT 2000


Simo Sorce wrote:
> 
> As not all the OS have PAM and not all want to 
> use LDAP I want to address the current way information 
> are stored on smbpasswd file.
> 
> What I found annoyng in smbpasswd file structure is:
> 1. The need to store workstation accounts in system passwd.

ok.  this is a good discussion actually.  This issues 
really links into #2.  

>    This is annoying as force the administrator to change custom
>    scripts to deal with this entrys in passwd, and as samba does
>    not need to perform any operation under the uid of wks account
>    their presence in passwd is totally useless (and unelegant).

This is the arguement for storing machine trust accounts 
in /etc/passwd.

  The UNIX list of accounts is authoritative.  Therefore
  the dynamic generation of RIDs, as is done currently,
  requires an assigned uid for an account.

New developments which may help povide some resolution 
to this problem.

  Winbind dynamically allocates uid from a defined
  range (specified in smb.conf) and store the RID<->uid
  mapping in an internal TDB.  Could provide for the 
  same thing in relation to Workstation accounts?


> 2. The fact that RIDs are not stored anywhere
>    Storing RIDs on smbpasswd may allow an easyer 
>    migration path from existing NT domains and allow 
>    admins to set particular RIDs if needed.

I would prefer the TDB solution used in winbind rather
than to hack smbpasswd some more.  Which I might add 
may need to be replaced with another backend in order to
support PDC functionality (store user authorization data).
If you want to run a Samba PDC, you would have to use
the new TDB passwd backend (or another one that supported
storing the necessary user attributes).  If you only need
a simple file and print server, keep the smbpasswd file.

This also gives us the ability for incremental RID
allocation.  The domain more security could be expanded 
to use the winbind method as well.

Thinking ahead...

  Tim, If we have a Samba PDC and want to use winbind 
  for PAMified applications, how hard would it be to 
  design a TDB used by both Samba and Winbind for
  storing user UID/RID mappings.


> 3. Trusting ACB bits User or Group belongings may 
>    be discovered and also Workstation accounts 
>    may be recognized.
>
> I made such a patch for samba 2.0.7 version.
> The patch avoided the need to store workstation 
> accounts in passwd and also placed the RID field in 
> smbpasswd file. If you think this may fit in samba I may 
> change the patch to samba 2.2 or HEAD as you wish.

I would opt for the TDB solution as we need many
more user attributes stored than smbpasswd is able 
to handle.






Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com  VA Linux Systems    gcarter at valinux.com
       http://www.samba.org       SAMBA Team           jerry at samba.org
       http://www.eng.auburn.edu/~cartegw

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )






More information about the samba-technical mailing list