CVS update: samba/source/passdb

Andrew Bartlett abartlet at samba.org
Tue Jul 1 01:44:54 GMT 2003 

On Tue, 2003-07-01 at 11:30, Jeremy Allison wrote:
> On Tue, Jul 01, 2003 at 11:15:23AM +1000, Andrew Bartlett wrote:
> > On Tue, 2003-07-01 at 06:45, jerry at samba.org wrote:
> > > Date:	Mon Jun 30 20:45:14 2003
> > > Author:	jerry
> > > 
> > > Update of /data/cvs/samba/source/passdb
> > > In directory dp.samba.org:/tmp/cvs-serv29095/passdb
> > > 
> > > Modified Files:
> > >       Tag: SAMBA_3_0
> > > 	passdb.c 
> > 
> > The change to get_global_sam_name() is *wrong*.
> > 
> > This is the name of our user database - it is normally the name of the
> > local machine.  In particular, in a workgroup (ie, standalone server)
> > situation, it *must* be that name of our local machine, not the
> > workgroup (which is irrelevant to authentication).
> 
> Did you look at the change ? It returns the local name if we are
> a standalone server.

I wanted to be perfectly clear as to how I wrote this function to work.

> > The same applies to the domain member - the *local* sam is named after
> > the machine - the PDC carries the DOMAIN as it's sam, because multiple
> > DCs of different names share the same SAM, and do not have a 'local'
> > SAM.
> 
> This I'm not sure of (haven't tested Windows domain members myself)
> but don't you think Jerry and Volker would have looked at and tested this ?

The problem is, I wrote that code for a very specific reason.  It is
quite possible that we have cases where we should return the domian
name, but that does not change the fact that many of the callers of this
function expected exactly what I say here.

Ie, this function consolidated existing inline code all over samba that
did exactly the same thing.  

The intention is to match 'get_global_sam_sid()'.  If callers want a
different answer, they should call a different function.  

The tests I would suggest are:

 - calling _lsa_unk_get_connuser() (used by NT4 in 'take ownership'
operations).
 - _samr_enum_domains (lists domains controlled by this machine)

Also, what domain should 'pdbedit -L -v' on a domain member return?  I
would suggest that returning 'DOMAIN\foo' on WORKSTATION is the wrong
thing.

I trust that jerrry and vl tested things - but we all know the game here
is testing the *right* things :-)

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030701/22e56086/attachment.bin

More information about the samba-technical mailing list