passdb interface design

Stefan (metze) Metzmacher metze at
Tue Oct 1 06:53:01 GMT 2002

At 15:59 30.09.2002 +0200, Volker.Lendecke at SerNet.DE wrote:
>*** PGP Signature Status: bad
>*** Signer: Volker Lendecke <Volker.Lendecke at SerNet.DE> (Invalid)
>*** Signed: 30.09.2002 15:59:49
>*** Verified: 30.09.2002 16:10:33
>Recently I have done some work on the passdb interface in order to get
>it work with 'net rpc vampire'. The main problem with both of them
>playing together is the question of RIDs. When doing the 'net rpc
>vampire', the PDC dictates our RIDs, and the old 2.2 style algorithmic
>uid->RID translation is around everywhere, esp. in mapping.c and
>passdb.c. So I tried to move all the calls to the functions to the
>smbpasswd and unix backends, where they really have a case.
>Some points to look at:
>* There are no unmapped groups anymore. get_group_from_gid creates
>   mappings on the fly when needed.
>* pdb_fill_sam_pw does *not* fill group and user SID anymore.
>* NULL user sid for pdb_add_sam_account means 'allocate a RID'.
>* local_uid_to_sid has to hand out a SID for each unix user. If the
>   unix user is not in pdb, we now hand out 'S-1-5-33-unixuid'. This
>   works fine on NT and W2k.
>Current question(s):
>* The RID allocator is in the wrong place. It's currently storing its
>   stuff in secrets.tdb. smbpasswd should use the old algorithmic
>   mapping, net rpc vampire will not work with smbpasswd. To let this
>   not interfere with group RID allocation, the passdb backend must be
>   asked 'give me a RID for this unix gid'.


>* The other alternative is to move the (not too big) groupdb API
>   entirely to the passdb backend. This would make it possible to get
>   LDAP replication for group mapping quite easily. We could encapsulate
>   LDAP (with connection caching.... ;-) in one file.

sounds good to me

>* Design of LDAP replication: What about a sambaGroup objectclass as
>   supplementary to posixGroup that contains gid, sid, ntname,
>   grouptype, comment etc? All the stuff that mapping.c stores in the
>   tdb.

sid,ntname,grouptype have to be add. gid is posixGroup I think and comment 
should be description.

But it would be nice if we could make the design of this also ready for 
And maybe update sambaAccount too.( change acsii string to directory 
strings (utf-8) ... change the rid to sid...). and modify thet backend to 
be able to switch between the new and old schema. Add sambaDomain ...

some lines from IRC:
[07:42:28] <metze> hi abartlet
[07:42:44] <metze> what do you say to vl's patch
[07:43:25] <metze> I think we should have a rid_allocator in each backend!
[07:43:35] <@abartlet> vl: I need to pull it apart a bit
[07:43:37] <@abartlet> I agree
[07:44:56] <metze> and we should have a plugable group mapping
[07:45:02] <metze> tdb or ldap
[07:46:45] <metze> and someone should use (pdb_ldap AND group_map_ldap AND 
rid_alloc_ldap)or (pdb_tdb AND group_map_tdb AND rid_alloc_tdb)
[07:56:36] <metze> but the rest look good
[07:56:46] <metze> but I haven't test it

Stefan "metze" Metzmacher <metze at>

More information about the samba-technical mailing list