patch to allow winbind to provide fallback for nsswitch lookups

Luke Mewburn luke at mewburn.net
Thu Oct 28 22:24:59 GMT 2004


On Thu, Oct 28, 2004 at 09:41:31AM -0500, Gerald (Jerry) Carter wrote:
  | no offense, but I really hate the parameter name.  I've
  | got a long standing bitterness against 'winbind use
  | default domain' since it caused so many problems in the
  | Samba code.

No offense taken; I knew that the name of the parameter could be
improved.


  | And the way I read you code, you are just check if the
  | user exists and if not, calling the add_user_script.
  | If this is the case, then why not just not set the idmap uid
  | and gid ranges?

That's not what the code does (or is intended to do), and
I've tried numerous samba configuration variations to do what
is needed and nothing worked.

The existing code works something like this for an ADS user "foo"
that has an entry in the NIS passwd map:
	- given krb ticket "foo at REALM"
	- the krb ticket is converted to "REALM\foo"
	- smb_getpwnam("REALM\foo")
		- nss_files doesn't match
		- nss_nis doesn't match
		- nss_winbind matches as "REALM\foo", fakes up a 
		  passwd (with a UID from "idmap uid" range)
	- smbd uses the faked winbind UID

With the patch (and appropriate smb.conf settings)
	- given krb ticket "foo at REALM"
	- the krb ticket is converted to "REALM\foo"
	- the leading "REALM\" is stripped because it's our current workgroup
	  and 'trim default domains =yes'
	- smb_getpwnam("foo")
		- nss_files doesn't match
		- nss_nis matches and returns the real UID
	- smbd uses the real UID

Of course, for ADS-only users, winbind will provide a faked up UID
as per the first example, which is what we want.


  | And I think think that these types of checks make smbd
  | overly complicated.  The right place to put them would
  | be to have winbindd return the uid for a stripped username.
  | But again, I'm a little conservative on these types of
  | changes since we end up with overly complicated code
  | with to many if() statements.
  |
  | But if you can give a clean implementation in winbindd_getpwnam()
  | and winbindd_getgrnam(), i'd be willing look at it.  Also don't
  | forget about getpwent() and getgrent().

I first considered putting the functionality into winbindd(8),
but I was concerned about what the callers did.

I am unsure if it's considered acceptable for the pw_nam returned
by winbind's getpw*() nss backend to differ from the name the
function was invoked with (e.g, given "REALM\foo", pw_nam == "foo"),
so I left that alone.

If it _is_ acceptable for nss_winbind_getpwnam(argnam) to return
a pw->pw_nam that is different to the given argnam, then I can
investigate implementing 'winbind trim default domain' (or whatever)
instead.


Luke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20041029/0ce7a7cf/attachment.bin


More information about the samba-technical mailing list