More proposed passdb changes: users without local unix uids.

Andrew Bartlett abartlet at pcug.org.au
Wed Jan 9 18:10:02 GMT 2002


"Gerald (Jerry) Carter" wrote:
> 
> On Tue, 8 Jan 2002, Jeremy Allison wrote:
> 
> > > Of course the uid field never makes it to the SAM_ACCOUNT struct, but
> > > this method is backward-compatible (as far as I can tell) because the
> > > smbpasswd format is unchanged (unless you are a site with over 6000
> > > users in smbpasswd, and I highly doubt there are any, given the
> > > performance problems).
> >
> > I'm concerned about this. The reason is that on many
> > sites the users are not allocated in a linear fashion.
> >
> > You can't just assume that users over 6000 are "safe".
> >
> > I'd resist creating users in smbpasswd that don't exist
> > in /etc/passwd. Please don't check this code in yet.
> 
> Andrew,
> 
> Can I suggest that you implement this as an alternative
> samdb backend?  It if works out ok, we can look at swapping
> it over.
> 
> Just for the record, i agree with Jeremy.

Sounds like a safe approach.  I'll use a uid-range smb.conf option much
like winbind.

This does however lead on to the next issue:  why does pdb_get_uid() and
pdb_get_gid() exist?

In HEAD they are only used for the auth subsystem.  This means two
things:  Firstly they do the exact opposite to what Jerry was wanting in
'we don't trust the uid in the SAM_ACCOUNT' line of thought, and
secondly, they create the whole winbindd infinite loop problem.

I'll be moving the auth subsystem to just filling in a part of the
server_info instead of using the SAM_ACCOUNT for this, and I'll be
fixing up rpc_server/srv_samr_nt.c so it doesn't need to call
pdb_getsampwuid() (the last user of this function - its just after the
session key, and I'll have that stashed away from the auth return).

I'll also leave the getpwnam() in each passdb module for the timebeing -
to avoid listing non-unix users - and only do crazy stuff in my private
versions (which I might commit to cvs under another name).

The auth modules will do a normal getpwnam() for zero change in
behavior.

Thank you everybody for their feedback!

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba-technical mailing list