why do we log this error from testparm ?
Luke Mewburn
luke at mewburn.net
Tue Apr 12 01:21:25 GMT 2005
On Tue, Apr 12, 2005 at 11:00:04AM +1000, James Peach wrote:
| On Mon, Apr 11, 2005 at 05:57:32PM -0500, Gerald (Jerry) Carter wrote:
| > -----BEGIN PGP SIGNED MESSAGE-----
| > Hash: SHA1
| >
| > 'winbind separator = +' might cause problems with group membership.
|
| smb.conf(5):
| ...
| Please note that setting this parameter to + causes problems
| with group membership at least on glibc systems, as the
| character + is used as a special character for NIS in
| /etc/group.
|
| I don't know whether this is still true ..
Unless glibc had a widely divergent implementation of the '+' NIS
compat support in /etc/passwd & /etc/group from other systems,
I doubt it was ever a problem.
The original use of "+" in /etc/passwd and /etc/group came from
(I believe) SunOS 4, where it enabled the use of NIS for passwd
and group lookups. Other systems (such as 4.4BSD derived systems
like NetBSD) inherited this functionality.
This predated nsswitch.conf (in SunOS 5 -- Solaris) and svc.conf
(in ULTRIX), and Solaris retained the support via the special
nsswitch.conf passwd source "compat" (and the database "passwd_compat").
Some points about the common implementation of the passwd compat
(aka NIS) support activated by "+" (on systems such as SunOS 4,
Solaris, NetBSD, ...):
(a) The "+" must appear at the start of a line in /etc/passwd.
The entry can be a single "+" or a complete /etc/passwd
entry such as "+::::::"
Other characters may appear after the "+".
E.g.:
* "+" means use all users from the compat source
(e.g, NIS).
* "+foo" means use the info for user "foo" from the
compat source at this point.
* "+ at bar" means lookup the users from netgroup "bar"
from the compat source and return those.
Multiple lookups will return multiple results
from the netgroup.
* A non-empty value for other fields in a "+" entry
(e.g, the shell being "/bin/false") causes the
entry retreived from the compat source to have
the field to be overridden with that value.
The passwd field may be an exception to this.
(b) Most systems support continue parsing /etc/passwd after
parsing a compat "+" line and all its contents.
(c) nsswitch implementations support a "passwd_compat" database
to change the source where the + lookups for "passwd" are
performed.
E.g, nis, nisplus, dns (for HESIOD), ldap, winbind, ...
Obviously you can't use "files" or "compat" as sources here.
(d) If a compat lookup (e.g, from NIS or winbind) returns
a "+" in a name, even at the start of the line, the
compat parsing code won't try to recursively perform
a compat lookup.
I.e, the "+" parsing code is only performed against
/etc/passwd entries.
I don't know if glibc does something different to this
for this particular point.
/etc/group functions in a similar way, although at least NetBSD
doesn't support + at netgroup in /etc/group at this time.
(I wrote the nsswitch support in NetBSD many years ago, based
on observations of the SunOS 4, SunOS 5, ULTRIX, and Tru64
implementations, and FreeBSD now uses that nsswitch code as well.)
I hope that's useful,
Luke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050412/698fa53d/attachment.bin
More information about the samba-technical
mailing list