patch to allow winbind to provide fallback for nsswitch lookups
Gerald (Jerry) Carter
jerry at samba.org
Thu Oct 28 14:41:31 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Luke Mewburn wrote:
| Hi all.
|
| I recently ran into a problem where I need to use "standard"
| nsswitch.conf sources (such as "files" or "nis") to provide the
| "username -> UID" mapping that smbd(8) needs, and also use winbindd(8)
| (via nss_winbind.so) to provide dynamic UID allocation as a fallback.
| I've described this in more detail in:
| http://lists.samba.org/archive/samba/2004-October/094981.html
|
| I've implemented a new smb.conf(5) directive to solve this problem:
| trim default domain = yes/no
|
| When enabled, this causes smbd(8) (via smb_getpwnam()) to strip the
| leading "DOMAIN\" from a lookup if and only if "DOMAIN" is equivalent
| to lp_workgroup().
|
| Thus, with:
| nsswitch.conf:
| passwd: files nis winbind
| smb.conf:
| security = ADS
| realm = FOO.BAR
| workground = FOO
| trim default domain = yes
| winbind use default domain = yes
| idmap uid = 50000-59999
| NIS passwd:
| user1:*:10001:20000:&:/home/user1:/bin/sh
| ADS users
| FOO\user1
| FOO\adsuser1
|
| We get the following behaviour:
| % kinit user1 at FOO.BAR
| % smbclient -k //samba/someshare
| connects as uid=10001
|
| % kinit adsuser1 at FOO.BAR
| % smbclient -k //samba/someshare
| connects as uid=50000 (or some other UID in 50000..59999)
|
| I.e, UIDs are obtained from /etc/passwd or NIS passwd if the user is
| present in those, otherwise winbind will provide a faked up UID
| (well, faked up 'struct passwd'...)
|
| What do people think?
| Surely I can't be the only person who needs this?
Luke,
no offense, but I really hate the parameter name. I've
got a long standing bitterness against 'winbind use
default domain' since it caused so many problems in the
Samba code.
And the way I read you code, you are just check if the
user exists and if not, calling the add_user_script.
If this is the case, then why not just not set the idmap uid
and gid ranges?
And I think think that these types of checks make smbd
overly complicated. The right place to put them would
be to have winbindd return the uid for a stripped username.
But again, I'm a little conservative on these types of
changes since we end up with overly complicated code
with to many if() statements.
But if you can give a clean implementation in winbindd_getpwnam()
and winbindd_getgrnam(), i'd be willing look at it. Also don't
forget about getpwent() and getgrent().
cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBgQUbIR7qMdg1EfYRAqkiAJ9XVUpjxgqfcmRbhTVzMBGsbI1HQgCgyeU+
xmpNMmzR/FiOzLfJN4ovd1c=
=XrhY
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list