More proposed passdb changes: users without local unix uids.

Jean Francois Micouleau Jean-Francois.Micouleau at
Tue Jan 8 03:46:03 GMT 2002

On Tue, 8 Jan 2002, Andrew Bartlett wrote:

> Make pdb_add_sam_account() and pdb_upate_sam_account() refill their
> buffers
> I'm looking into some various changes to the passdb code - the item of
> interest to me at the moment is finally killing off the machine trust
> accounts in /etc/passwd (but I'm looking at crazy ideas about users not
> in /etc/passwd as well).

that's a good idea.

> As such I've made some modifications to the smbpasswd code so that it
> can store users without an /etc/passwd entry.  This is done by using the
> uids above 6000 and converting them to rids in line with existing
> practice.

that's a bad idea.

andrew you're loosing your time on smbpasswd.

do your work on samtdb or ldap, we should get rid of smbpasswd. You're
trying to improve something that can only be improved with band-aid. You
gave the proof to band-aid yourself: uid above 6000.

> Of course the uid field never makes it to the SAM_ACCOUNT struct, but
> this method is backward-compatible (as far as I can tell) because the
> smbpasswd format is unchanged (unless you are a site with over 6000
> users in smbpasswd, and I highly doubt there are any, given the
> performance problems).

I did some benchmark around mid december with some large smbpasswd to
check if the sam enumeration code was working well, I can tell you, the
smbpasswd performance is a false problem. It's maybe not efficient, but
it's not so bad. doing a libc getpwnam() is between 50 to 100 slower than
the smbpasswd lookup.

> The two issues I can see are:  Should we, on creating a new user, be
> setting fields in the SAM based on /etc/passwd entries and defaults
> (like full name, profile path) implicitly, or leave these things at
> their NULL value.  I assume on NT you are expected to do these manually,
> on a passdb backend it doesn't matter (not stored) and on an LDAP
> backend it all work because of the 'is default' flags stuff jerry is
> doing.  My vote is to extend that kind of thing to tdbsam and leave it
> at that.

you should store everything in tdbsam, and have a smb.conf parameter
"don't obey unix security". When true we don't do any getpwXXX() call,
think of winbind on the PDC, no more recursive problem ;-)


More information about the samba-technical mailing list