auth.c Error

Andrew Bartlett abartlet at
Sat Oct 12 23:45:02 GMT 2002

Volker.Lendecke at SerNet.DE wrote:
> Andrew,
> On Sat, Oct 12, 2002 at 09:25:22AM +1000, Andrew Bartlett wrote:
> > You either need to keep the 'unixsam' in your 'passdb backends' line in
> > your smb.conf, or add a 'guest' account to ldap, with a real unix UID
> > (possibly the same as nobody, should be the same as 'guest account') and
> > with RID 501.
> One part of my patch gets rid of some needs for unixsam just for this case. I
> fake the guest account directly in make_server_info_guest. I am not sure if
> this covers all cases, but much PDC-related stuff works. unixsam is then only
> needed for plaintext passwords, and we can allow only one passdb backend.

I added the 'magic 501 for guest' stuff for 2 reasons:

- I had a bug in the domain join, where Win2k was looking up RID 501 by
number, and failing becouse it wasn't there
- Also, I wanted to be sure we always got correct uid->sid and sid->uid
mapping for the guest user.  I wanted an NT ACL to be able to include
this 'well known' user, and have it behave as expected.  While *most*
cases inside Samba now use just the NT_TOEKN generated at login time, we
still make one up from uid/gid/groups in a number of cases.  I wanted to
ensure as much as possible that the 2 tokens are identical.

The rest of unixsam was added becouse I wanted it to be able to be
removed :-).  That is, if the admin had all users in LDAP, I wanted the
admin to be able to remove it from the smb.conf, and remove all the
'implicit' algorithmic mappings and magic unix mappings.  We are not
quite there yet, unfortunetly - there are a large number of corner cases

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list