status of unixsam and guest passdb backends?

Andrew Bartlett abartlet at samba.org
Mon Mar 31 00:23:16 GMT 2003 

On Mon, 2003-03-31 at 10:10, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 31 Mar 2003, Andrew Bartlett wrote:
> 
> > > Unixsam was a useful hack and a bad idea.  Most of what it was trying
> > > to do it couldn't really do, and will be replaced by idmap.  I had
> > > wanted all rid->uid translations to go via the passdb.  However, we
> > > still have to map uid->rid for 'non-existant' accounts, so the
> > > fallback code never got removed, and having unixsam just confused
> > > things (particularly when we were running winbindd too).
> > > 
> > > It also broke a pile of conventions about the relationship between
> > > unix and Samba accounts, as you correctly note.
> > 
> > Guestsam is in there to provide the only useful thing unixsam did -
> > ensuring that the guest account really was the guest, and had the guest
> > RID.  It also helped with some Win2k behavior that assumed the presence
> > of the guest account.
> 
> Could you update smb.conf(5) to this effect?  Thanks.

Sure.

> Should unixsam support be removed altogether so people can't
> break their servers by listing it in the passdb backends?

Hmm...  Possibly.  On a system that has all authentication otherwise
redirected, it might have some value, but that's marginal.  It's only
current value is in sid->name and name->sid translations.  

My intention is to separate the sid->name issue into another layer, much
in the same way that the idmap is being split off.  That way we can do
the simple sid->name mapping for 'unix' users, but don't commit to
having a full passdb record for them.  I'll have to see how this impacts
on things like domain joins however.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030331/bb58b77a/attachment.bin

More information about the samba-technical mailing list