patch to allow winbind to provide fallback for nsswitch lookups

Gerald (Jerry) Carter jerry at samba.org
Thu Oct 28 14:41:31 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Luke Mewburn wrote:
| Hi all.
|
| I recently ran into a problem where I need to use "standard"
| nsswitch.conf sources (such as "files" or "nis") to provide the
| "username -> UID" mapping that smbd(8) needs, and also use winbindd(8)
| (via nss_winbind.so) to provide dynamic UID allocation as a fallback.
| I've described this in more detail in:
| 	http://lists.samba.org/archive/samba/2004-October/094981.html
|
| I've implemented a new smb.conf(5) directive to solve this problem:
| 	trim default domain = yes/no
|
| When enabled, this causes smbd(8) (via smb_getpwnam()) to strip the
| leading "DOMAIN\" from a lookup if and only if "DOMAIN" is equivalent
| to lp_workgroup().
|
| Thus, with:
|     nsswitch.conf:
| 	passwd: files nis winbind
|     smb.conf:
| 	security = ADS
| 	realm = FOO.BAR
| 	workground = FOO
| 	trim default domain = yes
| 	winbind use default domain = yes
| 	idmap uid = 50000-59999
|     NIS passwd:
| 	user1:*:10001:20000:&:/home/user1:/bin/sh
|     ADS users
| 	FOO\user1
| 	FOO\adsuser1
|
| We get the following behaviour:
| 	% kinit user1 at FOO.BAR
| 	% smbclient -k //samba/someshare
| 		connects as uid=10001
|
| 	% kinit adsuser1 at FOO.BAR
| 	% smbclient -k //samba/someshare
| 		connects as uid=50000 (or some other UID in 50000..59999)
|
| I.e, UIDs are obtained from /etc/passwd or NIS passwd if the user is
| present in those, otherwise winbind will provide a faked up UID
| (well, faked up 'struct passwd'...)
|
| What do people think?
| Surely I can't be the only person who needs this?

Luke,

no offense, but I really hate the parameter name.  I've
got a long standing bitterness against 'winbind use
default domain' since it caused so many problems in the
Samba code.

And the way I read you code, you are just check if the
user exists and if not, calling the add_user_script.
If this is the case, then why not just not set the idmap uid
and gid ranges?

And I think think that these types of checks make smbd
overly complicated.  The right place to put them would
be to have winbindd return the uid for a stripped username.
But again, I'm a little conservative on these types of
changes since we end up with overly complicated code
with to many if() statements.

But if you can give a clean implementation in winbindd_getpwnam()
and winbindd_getgrnam(), i'd be willing look at it.  Also don't
forget about getpwent() and getgrent().



cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBgQUbIR7qMdg1EfYRAqkiAJ9XVUpjxgqfcmRbhTVzMBGsbI1HQgCgyeU+
xmpNMmzR/FiOzLfJN4ovd1c=
=XrhY
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list