passdb interface design

Stefan (metze) Metzmacher metze at metzemix.de
Tue Oct 1 06:53:01 GMT 2002 

At 15:59 30.09.2002 +0200, Volker.Lendecke at SerNet.DE wrote:
>*** PGP Signature Status: bad
>*** Signer: Volker Lendecke <Volker.Lendecke at SerNet.DE> (Invalid)
>*** Signed: 30.09.2002 15:59:49
>*** Verified: 30.09.2002 16:10:33
>*** BEGIN PGP VERIFIED MESSAGE ***
>
>
>Hi!
>
>
>Recently I have done some work on the passdb interface in order to get
>it work with 'net rpc vampire'. The main problem with both of them
>playing together is the question of RIDs. When doing the 'net rpc
>vampire', the PDC dictates our RIDs, and the old 2.2 style algorithmic
>uid->RID translation is around everywhere, esp. in mapping.c and
>passdb.c. So I tried to move all the calls to the functions to the
>smbpasswd and unix backends, where they really have a case.
>
>
>Some points to look at:
>
>
>* There are no unmapped groups anymore. get_group_from_gid creates
>   mappings on the fly when needed.
>
>
>* pdb_fill_sam_pw does *not* fill group and user SID anymore.
>
>
>* NULL user sid for pdb_add_sam_account means 'allocate a RID'.
>
>
>* local_uid_to_sid has to hand out a SID for each unix user. If the
>   unix user is not in pdb, we now hand out 'S-1-5-33-unixuid'. This
>   works fine on NT and W2k.
>
>
>Current question(s):
>
>
>* The RID allocator is in the wrong place. It's currently storing its
>   stuff in secrets.tdb. smbpasswd should use the old algorithmic
>   mapping, net rpc vampire will not work with smbpasswd. To let this
>   not interfere with group RID allocation, the passdb backend must be
>   asked 'give me a RID for this unix gid'.

right.


>* The other alternative is to move the (not too big) groupdb API
>   entirely to the passdb backend. This would make it possible to get
>   LDAP replication for group mapping quite easily. We could encapsulate
>   LDAP (with connection caching.... ;-) in one file.

sounds good to me

>* Design of LDAP replication: What about a sambaGroup objectclass as
>   supplementary to posixGroup that contains gid, sid, ntname,
>   grouptype, comment etc? All the stuff that mapping.c stores in the
>   tdb.

sid,ntname,grouptype have to be add. gid is posixGroup I think and comment 
should be description.

But it would be nice if we could make the design of this also ready for 
sam_ldap.
And maybe update sambaAccount too.( change acsii string to directory 
strings (utf-8) ... change the rid to sid...). and modify thet backend to 
be able to switch between the new and old schema. Add sambaDomain ...


some lines from IRC:
[07:42:28] <metze> hi abartlet
[07:42:44] <metze> what do you say to vl's patch
[07:43:25] <metze> I think we should have a rid_allocator in each backend!
[07:43:35] <@abartlet> vl: I need to pull it apart a bit
[07:43:37] <@abartlet> I agree
[07:44:56] <metze> and we should have a plugable group mapping
[07:45:02] <metze> tdb or ldap
[07:46:45] <metze> and someone should use (pdb_ldap AND group_map_ldap AND 
rid_alloc_ldap)or (pdb_tdb AND group_map_tdb AND rid_alloc_tdb)
[07:56:36] <metze> but the rest look good
[07:56:46] <metze> but I haven't test it



metze
-----------------------------------------------------------------------------
Stefan "metze" Metzmacher <metze at metzemix.de>

More information about the samba-technical mailing list