More proposed passdb changes: users without local unix uids.

Andrew Bartlett abartlet at
Wed Jan 9 18:10:02 GMT 2002

"Gerald (Jerry) Carter" wrote:
> On Tue, 8 Jan 2002, Jeremy Allison wrote:
> > > Of course the uid field never makes it to the SAM_ACCOUNT struct, but
> > > this method is backward-compatible (as far as I can tell) because the
> > > smbpasswd format is unchanged (unless you are a site with over 6000
> > > users in smbpasswd, and I highly doubt there are any, given the
> > > performance problems).
> >
> > I'm concerned about this. The reason is that on many
> > sites the users are not allocated in a linear fashion.
> >
> > You can't just assume that users over 6000 are "safe".
> >
> > I'd resist creating users in smbpasswd that don't exist
> > in /etc/passwd. Please don't check this code in yet.
> Andrew,
> Can I suggest that you implement this as an alternative
> samdb backend?  It if works out ok, we can look at swapping
> it over.
> Just for the record, i agree with Jeremy.

Sounds like a safe approach.  I'll use a uid-range smb.conf option much
like winbind.

This does however lead on to the next issue:  why does pdb_get_uid() and
pdb_get_gid() exist?

In HEAD they are only used for the auth subsystem.  This means two
things:  Firstly they do the exact opposite to what Jerry was wanting in
'we don't trust the uid in the SAM_ACCOUNT' line of thought, and
secondly, they create the whole winbindd infinite loop problem.

I'll be moving the auth subsystem to just filling in a part of the
server_info instead of using the SAM_ACCOUNT for this, and I'll be
fixing up rpc_server/srv_samr_nt.c so it doesn't need to call
pdb_getsampwuid() (the last user of this function - its just after the
session key, and I'll have that stashed away from the auth return).

I'll also leave the getpwnam() in each passdb module for the timebeing -
to avoid listing non-unix users - and only do crazy stuff in my private
versions (which I might commit to cvs under another name).

The auth modules will do a normal getpwnam() for zero change in

Thank you everybody for their feedback!

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list