refactoring idmap code in smbd
Jeremy Allison
jra at samba.org
Wed Jul 9 17:06:11 GMT 2003
On Wed, Jul 09, 2003 at 11:45:25AM -0500, Gerald (Jerry) Carter wrote:
>
> The new code has been checked in. Please see
> docs/README.idmap-and-winbind-changes in CVS for details.
> I'm sure there will be a lot of discussion on this.
Ok, now the initial code is in, and before I have to jump
on a plane to Portland, here is an explaination of my "moment
of clarity" w.r.t. idmap.
The problem was the non-unix accounts. We need them to allow
migration of existing NT SAMs and for machine accounts, but
we generated an ugly mess in smbd trying to make them work.
The simple solution - there are no non unix accounts (or spoon
either, for you Matrix fans :-).
How do we do this ? The new concept is that winbindd can
be a source of accounts (ie. it contains its own local
accounts/groups db), as well as a method of getting at
remote accounts.
The concept is simple - when we need a non-unix account,
we ask winbindd to create it for us in its own db, along
with the relevent SID <--> uid/gid mapping. It then becomes
a unix account, listable via nsswitch and getpwnam/getgrnam
and all the other posix functions we know and love.
For all you security people - winbindd will *never* create
an uid/gid with a value of zero, and we will add code to
check for all the paranoia about control characters and ':'
characters in all the element entries.
Adding a password and group database source to winbindd allows
easy migration of existing NT SAM databases (all the new users/
sids get auto created by winbindd and are now seen by the rest
of the system), and also the creation of machine accounts without
having to have them in /etc/passwd (winbindd creates the entries
in its own db).
smbd is greatly simplified as it can always assume that any account is
really a unix account and a sid mapping exists. When we need a
new account we use the 'create script' if the admin defined one,
otherwise the new capability of winbindd to create a user or
group account if the admin permits it.
Lets face it, if you want to have non-unix accounts then having
to run winbindd to make them work is a simple pre-requisite and not
much of a burden - after all, you need winbindd for any complex
setups requiring domain membership.
There'll probably be bugs in the code, but the new design is
really simple and clean. Lots of ugly code is thrown away from
smbd.
Jeremy.
More information about the samba-technical
mailing list