get_domain_user_groups() improvement.

Simo Sorce idra at samba.org
Mon Sep 27 08:57:15 GMT 2004


On Fri, 2004-09-24 at 20:13, Igor Belyi wrote:
> Simo Sorce wrote:
> 
> >On Thu, 2004-09-23 at 17:14, Igor Belyi wrote:
> >  
> >
> >>Just to clarify the idea - pushing _all_ NSS calls from common pdbpass 
> >>functions into backends and letting ldapsam backend assume that UNIX 
> >>accounts and groups are in traditianal LDAP objects while keeping all 
> >>other backends to use NSS calls is the right approach. Is that correct?
> >>    
> >>
> >
> >no, sorry that is not correct.
> >There is always one account that do not obey that rule, that's root
> >(never seen anybody putting it into ldap, it is always in /etc/passwd).
> >And I've seen other environments that also use ldap only for samba user
> >part storage and not for unix user storage (no nss_ldap on the system).
> >  
> >
> 
> Then get_memberuids() is doomed. To get the list of all users whose 
> primary group has a particular gid you need to either have their 
> posixAccount in LDAP to allow filter to do the work or list all users 
> via NSS as get_memberuids() function does now.

I know, that's why I told you to carefully think about the patch.

> And on related note - I thought that Samba do not use NSS calls to find 
> root. To become root it just calls setreuid(0, 0). If you use user 
> _named_ "root" to do Samba administration then Samba should have a way 
> to authenticate you as the one. Now, if this administrative user is not 
> in Samba user database, how Samba authenticate it?

It is, but you have only the sambaSamAccount part not the posixAccount
portion.

>  Does Samba checks 
> that user is not in its user database and then proceed with PAM (or 
> whatever is in place) authentication?

No.

>  Does it do it only for 
> administrative accounts (set with "admin users" or having uid=0) or for 
> all?

No.

>  I'm still digging through the code but I'd appreciate if there's a 
> short answer.

The short answer is reintroducing ldap trust ids param as abartlet
suggested, I think measuring pros and cons, that that's the better
approach for samba3 code base.

Simo.

-- 
Simo Sorce    -  idra at samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it



More information about the samba-technical mailing list