auth.c Error

[Andrew Bartlett]

Volker.Lendecke at SerNet.DE wrote:
> 
> Andrew,
> 
> On Sat, Oct 12, 2002 at 09:25:22AM +1000, Andrew Bartlett wrote:
> > You either need to keep the 'unixsam' in your 'passdb backends' line in
> > your smb.conf, or add a 'guest' account to ldap, with a real unix UID
> > (possibly the same as nobody, should be the same as 'guest account') and
> > with RID 501.
> 
> One part of my patch gets rid of some needs for unixsam just for this case. I
> fake the guest account directly in make_server_info_guest. I am not sure if
> this covers all cases, but much PDC-related stuff works. unixsam is then only
> needed for plaintext passwords, and we can allow only one passdb backend.

I added the 'magic 501 for guest' stuff for 2 reasons:

- I had a bug in the domain join, where Win2k was looking up RID 501 by
number, and failing becouse it wasn't there
- Also, I wanted to be sure we always got correct uid->sid and sid->uid
mapping for the guest user.  I wanted an NT ACL to be able to include
this 'well known' user, and have it behave as expected.  While *most*
cases inside Samba now use just the NT_TOEKN generated at login time, we
still make one up from uid/gid/groups in a number of cases.  I wanted to
ensure as much as possible that the 2 tokens are identical.

The rest of unixsam was added becouse I wanted it to be able to be
removed :-).  That is, if the admin had all users in LDAP, I wanted the
admin to be able to remove it from the smb.conf, and remove all the
'implicit' algorithmic mappings and magic unix mappings.  We are not
quite there yet, unfortunetly - there are a large number of corner cases
here.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net