More proposed passdb changes: users without local unix uids.

Andrew Bartlett abartlet at pcug.org.au
Tue Jan 8 04:33:18 GMT 2002


Jean Francois Micouleau wrote:
> 
> On Tue, 8 Jan 2002, Andrew Bartlett wrote:
> 
> > Make pdb_add_sam_account() and pdb_upate_sam_account() refill their
> > buffers
> >
> > I'm looking into some various changes to the passdb code - the item of
> > interest to me at the moment is finally killing off the machine trust
> > accounts in /etc/passwd (but I'm looking at crazy ideas about users not
> > in /etc/passwd as well).
> 
> that's a good idea.
> 
> > As such I've made some modifications to the smbpasswd code so that it
> > can store users without an /etc/passwd entry.  This is done by using the
> > uids above 6000 and converting them to rids in line with existing
> > practice.
> 
> that's a bad idea.
> 
> andrew you're loosing your time on smbpasswd.
> 
> do your work on samtdb or ldap, we should get rid of smbpasswd. You're
> trying to improve something that can only be improved with band-aid. You
> gave the proof to band-aid yourself: uid above 6000.

I'm only using smbpasswd becouse its simple to debug at a first cut, and
we already have the 'walk through' of the entire file (so I can find the
next allocateable uid).  I agree that its nasty and I will be adding it
to LDAP once I clear the idea with Jerry - becouse I'll be using LDAP at
the site (hawkerc.net) where this will actually be deployed.

> > Of course the uid field never makes it to the SAM_ACCOUNT struct, but
> > this method is backward-compatible (as far as I can tell) because the
> > smbpasswd format is unchanged (unless you are a site with over 6000
> > users in smbpasswd, and I highly doubt there are any, given the
> > performance problems).
> 
> I did some benchmark around mid december with some large smbpasswd to
> check if the sam enumeration code was working well, I can tell you, the
> smbpasswd performance is a false problem. It's maybe not efficient, but
> it's not so bad. doing a libc getpwnam() is between 50 to 100 slower than
> the smbpasswd lookup.

Nice to know, thanks!
 
> > The two issues I can see are:  Should we, on creating a new user, be
> > setting fields in the SAM based on /etc/passwd entries and defaults
> > (like full name, profile path) implicitly, or leave these things at
> > their NULL value.  I assume on NT you are expected to do these manually,
> > on a passdb backend it doesn't matter (not stored) and on an LDAP
> > backend it all work because of the 'is default' flags stuff jerry is
> > doing.  My vote is to extend that kind of thing to tdbsam and leave it
> > at that.
> 
> you should store everything in tdbsam, and have a smb.conf parameter
> "don't obey unix security". When true we don't do any getpwXXX() call,
> think of winbind on the PDC, no more recursive problem ;-)

Indeed, this is one of the problem spaces I'm trying to tackle.

Thanks for your input!

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba-technical mailing list