Passdb and smbpasswd (following discussion in TODO list thread)

Simo Sorce simo.sorce at
Wed Oct 4 17:04:48 GMT 2000

Gerald Carter wrote:
> Simo Sorce wrote:
> >
> > As not all the OS have PAM and not all want to
> > use LDAP I want to address the current way information
> > are stored on smbpasswd file.
> >
> > What I found annoyng in smbpasswd file structure is:
> > 1. The need to store workstation accounts in system passwd.
> ok.  this is a good discussion actually.  This issues
> really links into #2.
> >    This is annoying as force the administrator to change custom
> >    scripts to deal with this entrys in passwd, and as samba does
> >    not need to perform any operation under the uid of wks account
> >    their presence in passwd is totally useless (and unelegant).
> This is the arguement for storing machine trust accounts
> in /etc/passwd.
>   The UNIX list of accounts is authoritative.  Therefore
>   the dynamic generation of RIDs, as is done currently,
>   requires an assigned uid for an account.
> New developments which may help povide some resolution
> to this problem.
>   Winbind dynamically allocates uid from a defined
>   range (specified in smb.conf) and store the RID<->uid
>   mapping in an internal TDB.  Could provide for the
>   same thing in relation to Workstation accounts?
> > 2. The fact that RIDs are not stored anywhere
> >    Storing RIDs on smbpasswd may allow an easyer
> >    migration path from existing NT domains and allow
> >    admins to set particular RIDs if needed.
> I would prefer the TDB solution used in winbind rather
> than to hack smbpasswd some more.  Which I might add
> may need to be replaced with another backend in order to
> support PDC functionality (store user authorization data).
> If you want to run a Samba PDC, you would have to use
> the new TDB passwd backend (or another one that supported
> storing the necessary user attributes).  If you only need
> a simple file and print server, keep the smbpasswd file.
> This also gives us the ability for incremental RID
> allocation.  The domain more security could be expanded
> to use the winbind method as well.
> Thinking ahead...
>   Tim, If we have a Samba PDC and want to use winbind
>   for PAMified applications, how hard would it be to
>   design a TDB used by both Samba and Winbind for
>   storing user UID/RID mappings.
> > 3. Trusting ACB bits User or Group belongings may
> >    be discovered and also Workstation accounts
> >    may be recognized.
> >
> > I made such a patch for samba 2.0.7 version.
> > The patch avoided the need to store workstation
> > accounts in passwd and also placed the RID field in
> > smbpasswd file. If you think this may fit in samba I may
> > change the patch to samba 2.2 or HEAD as you wish.
> I would opt for the TDB solution as we need many
> more user attributes stored than smbpasswd is able
> to handle.
The patch a quick and dirty solution but it worked.
I've seen the TDB infrastructure and I think I may
work a patch to store data in tdb but I'm a bit scared.
What I like from textfiles is the ability to change them
quickly without depending on utilities.

On th oether hand tdb will speed up things and leave room to
add all info need by a PDC.

At thi point we also need a unix side utility to see/modify/add
the user accounts more advanced than smbpasswd.

Simo Sorce - Integrazione Sistemi Unix/Windows - Politecnico di Milano
E-mail: simo.sorce at 02 2399 2425 - 02 2399 2451
Be happy, use Linux!

More information about the samba-technical mailing list