patch to allow winbind to provide fallback for nsswitch lookups

Gerald (Jerry) Carter jerry at
Thu Oct 28 14:41:31 GMT 2004

Hash: SHA1

Luke Mewburn wrote:
| Hi all.
| I recently ran into a problem where I need to use "standard"
| nsswitch.conf sources (such as "files" or "nis") to provide the
| "username -> UID" mapping that smbd(8) needs, and also use winbindd(8)
| (via to provide dynamic UID allocation as a fallback.
| I've described this in more detail in:
| I've implemented a new smb.conf(5) directive to solve this problem:
| 	trim default domain = yes/no
| When enabled, this causes smbd(8) (via smb_getpwnam()) to strip the
| leading "DOMAIN\" from a lookup if and only if "DOMAIN" is equivalent
| to lp_workgroup().
| Thus, with:
|     nsswitch.conf:
| 	passwd: files nis winbind
|     smb.conf:
| 	security = ADS
| 	realm = FOO.BAR
| 	workground = FOO
| 	trim default domain = yes
| 	winbind use default domain = yes
| 	idmap uid = 50000-59999
|     NIS passwd:
| 	user1:*:10001:20000:&:/home/user1:/bin/sh
|     ADS users
| 	FOO\user1
| 	FOO\adsuser1
| We get the following behaviour:
| 	% kinit user1 at FOO.BAR
| 	% smbclient -k //samba/someshare
| 		connects as uid=10001
| 	% kinit adsuser1 at FOO.BAR
| 	% smbclient -k //samba/someshare
| 		connects as uid=50000 (or some other UID in 50000..59999)
| I.e, UIDs are obtained from /etc/passwd or NIS passwd if the user is
| present in those, otherwise winbind will provide a faked up UID
| (well, faked up 'struct passwd'...)
| What do people think?
| Surely I can't be the only person who needs this?


no offense, but I really hate the parameter name.  I've
got a long standing bitterness against 'winbind use
default domain' since it caused so many problems in the
Samba code.

And the way I read you code, you are just check if the
user exists and if not, calling the add_user_script.
If this is the case, then why not just not set the idmap uid
and gid ranges?

And I think think that these types of checks make smbd
overly complicated.  The right place to put them would
be to have winbindd return the uid for a stripped username.
But again, I'm a little conservative on these types of
changes since we end up with overly complicated code
with to many if() statements.

But if you can give a clean implementation in winbindd_getpwnam()
and winbindd_getgrnam(), i'd be willing look at it.  Also don't
forget about getpwent() and getgrent().

cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      -------
GnuPG Key                -----
"If we're adding to the noise, turn off this song"--Switchfoot (2003)
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list