More proposed passdb changes: users without local unix uids.
abartlet at pcug.org.au
Tue Jan 8 04:33:18 GMT 2002
Jean Francois Micouleau wrote:
> On Tue, 8 Jan 2002, Andrew Bartlett wrote:
> > Make pdb_add_sam_account() and pdb_upate_sam_account() refill their
> > buffers
> > I'm looking into some various changes to the passdb code - the item of
> > interest to me at the moment is finally killing off the machine trust
> > accounts in /etc/passwd (but I'm looking at crazy ideas about users not
> > in /etc/passwd as well).
> that's a good idea.
> > As such I've made some modifications to the smbpasswd code so that it
> > can store users without an /etc/passwd entry. This is done by using the
> > uids above 6000 and converting them to rids in line with existing
> > practice.
> that's a bad idea.
> andrew you're loosing your time on smbpasswd.
> do your work on samtdb or ldap, we should get rid of smbpasswd. You're
> trying to improve something that can only be improved with band-aid. You
> gave the proof to band-aid yourself: uid above 6000.
I'm only using smbpasswd becouse its simple to debug at a first cut, and
we already have the 'walk through' of the entire file (so I can find the
next allocateable uid). I agree that its nasty and I will be adding it
to LDAP once I clear the idea with Jerry - becouse I'll be using LDAP at
the site (hawkerc.net) where this will actually be deployed.
> > Of course the uid field never makes it to the SAM_ACCOUNT struct, but
> > this method is backward-compatible (as far as I can tell) because the
> > smbpasswd format is unchanged (unless you are a site with over 6000
> > users in smbpasswd, and I highly doubt there are any, given the
> > performance problems).
> I did some benchmark around mid december with some large smbpasswd to
> check if the sam enumeration code was working well, I can tell you, the
> smbpasswd performance is a false problem. It's maybe not efficient, but
> it's not so bad. doing a libc getpwnam() is between 50 to 100 slower than
> the smbpasswd lookup.
Nice to know, thanks!
> > The two issues I can see are: Should we, on creating a new user, be
> > setting fields in the SAM based on /etc/passwd entries and defaults
> > (like full name, profile path) implicitly, or leave these things at
> > their NULL value. I assume on NT you are expected to do these manually,
> > on a passdb backend it doesn't matter (not stored) and on an LDAP
> > backend it all work because of the 'is default' flags stuff jerry is
> > doing. My vote is to extend that kind of thing to tdbsam and leave it
> > at that.
> you should store everything in tdbsam, and have a smb.conf parameter
> "don't obey unix security". When true we don't do any getpwXXX() call,
> think of winbind on the PDC, no more recursive problem ;-)
Indeed, this is one of the problem spaces I'm trying to tackle.
Thanks for your input!
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical