get_domain_user_groups() improvement.
Igor Belyi
sambauser at katehok.ac93.org
Fri Sep 24 18:13:29 GMT 2004
Simo Sorce wrote:
>On Thu, 2004-09-23 at 17:14, Igor Belyi wrote:
>
>
>>Just to clarify the idea - pushing _all_ NSS calls from common pdbpass
>>functions into backends and letting ldapsam backend assume that UNIX
>>accounts and groups are in traditianal LDAP objects while keeping all
>>other backends to use NSS calls is the right approach. Is that correct?
>>
>>
>
>no, sorry that is not correct.
>There is always one account that do not obey that rule, that's root
>(never seen anybody putting it into ldap, it is always in /etc/passwd).
>And I've seen other environments that also use ldap only for samba user
>part storage and not for unix user storage (no nss_ldap on the system).
>
>
Then get_memberuids() is doomed. To get the list of all users whose
primary group has a particular gid you need to either have their
posixAccount in LDAP to allow filter to do the work or list all users
via NSS as get_memberuids() function does now.
And on related note - I thought that Samba do not use NSS calls to find
root. To become root it just calls setreuid(0, 0). If you use user
_named_ "root" to do Samba administration then Samba should have a way
to authenticate you as the one. Now, if this administrative user is not
in Samba user database, how Samba authenticate it? Does Samba checks
that user is not in its user database and then proceed with PAM (or
whatever is in place) authentication? Does it do it only for
administrative accounts (set with "admin users" or having uid=0) or for
all? I'm still digging through the code but I'd appreciate if there's a
short answer.
Thanks,
Igor
More information about the samba-technical
mailing list