get_domain_user_groups() improvement.

Igor Belyi sambauser at
Fri Sep 24 18:13:29 GMT 2004

Simo Sorce wrote:

>On Thu, 2004-09-23 at 17:14, Igor Belyi wrote:
>>Just to clarify the idea - pushing _all_ NSS calls from common pdbpass 
>>functions into backends and letting ldapsam backend assume that UNIX 
>>accounts and groups are in traditianal LDAP objects while keeping all 
>>other backends to use NSS calls is the right approach. Is that correct?
>no, sorry that is not correct.
>There is always one account that do not obey that rule, that's root
>(never seen anybody putting it into ldap, it is always in /etc/passwd).
>And I've seen other environments that also use ldap only for samba user
>part storage and not for unix user storage (no nss_ldap on the system).

Then get_memberuids() is doomed. To get the list of all users whose 
primary group has a particular gid you need to either have their 
posixAccount in LDAP to allow filter to do the work or list all users 
via NSS as get_memberuids() function does now.

And on related note - I thought that Samba do not use NSS calls to find 
root. To become root it just calls setreuid(0, 0). If you use user 
_named_ "root" to do Samba administration then Samba should have a way 
to authenticate you as the one. Now, if this administrative user is not 
in Samba user database, how Samba authenticate it? Does Samba checks 
that user is not in its user database and then proceed with PAM (or 
whatever is in place) authentication? Does it do it only for 
administrative accounts (set with "admin users" or having uid=0) or for 
all? I'm still digging through the code but I'd appreciate if there's a 
short answer.


More information about the samba-technical mailing list