More proposed passdb changes: users without local unix uids.
Andrew Bartlett
abartlet at pcug.org.au
Wed Jan 9 18:10:02 GMT 2002
"Gerald (Jerry) Carter" wrote:
>
> On Tue, 8 Jan 2002, Jeremy Allison wrote:
>
> > > Of course the uid field never makes it to the SAM_ACCOUNT struct, but
> > > this method is backward-compatible (as far as I can tell) because the
> > > smbpasswd format is unchanged (unless you are a site with over 6000
> > > users in smbpasswd, and I highly doubt there are any, given the
> > > performance problems).
> >
> > I'm concerned about this. The reason is that on many
> > sites the users are not allocated in a linear fashion.
> >
> > You can't just assume that users over 6000 are "safe".
> >
> > I'd resist creating users in smbpasswd that don't exist
> > in /etc/passwd. Please don't check this code in yet.
>
> Andrew,
>
> Can I suggest that you implement this as an alternative
> samdb backend? It if works out ok, we can look at swapping
> it over.
>
> Just for the record, i agree with Jeremy.
Sounds like a safe approach. I'll use a uid-range smb.conf option much
like winbind.
This does however lead on to the next issue: why does pdb_get_uid() and
pdb_get_gid() exist?
In HEAD they are only used for the auth subsystem. This means two
things: Firstly they do the exact opposite to what Jerry was wanting in
'we don't trust the uid in the SAM_ACCOUNT' line of thought, and
secondly, they create the whole winbindd infinite loop problem.
I'll be moving the auth subsystem to just filling in a part of the
server_info instead of using the SAM_ACCOUNT for this, and I'll be
fixing up rpc_server/srv_samr_nt.c so it doesn't need to call
pdb_getsampwuid() (the last user of this function - its just after the
session key, and I'll have that stashed away from the auth return).
I'll also leave the getpwnam() in each passdb module for the timebeing -
to avoid listing non-unix users - and only do crazy stuff in my private
versions (which I might commit to cvs under another name).
The auth modules will do a normal getpwnam() for zero change in
behavior.
Thank you everybody for their feedback!
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list