why do we log this error from testparm ?

Luke Mewburn luke at mewburn.net
Tue Apr 12 01:21:25 GMT 2005

On Tue, Apr 12, 2005 at 11:00:04AM +1000, James Peach wrote:
  | On Mon, Apr 11, 2005 at 05:57:32PM -0500, Gerald (Jerry) Carter wrote:
  | > Hash: SHA1
  | > 
  | > 'winbind separator = +' might cause problems with group membership.
  | smb.conf(5):
  | ...
  |           Please note that setting this parameter to + causes problems
  | 	  with group membership at least on glibc systems, as the
  | 	  character + is used as a special character for NIS in
  | 	  /etc/group.
  | I don't know whether this is still true ..

Unless glibc had a widely divergent implementation of the '+' NIS
compat support in /etc/passwd & /etc/group from other systems,
I doubt it was ever a problem.

The original use of "+" in /etc/passwd and /etc/group came from
(I believe) SunOS 4, where it enabled the use of NIS for passwd
and group lookups.  Other systems (such as 4.4BSD derived systems
like NetBSD) inherited this functionality.
This predated nsswitch.conf (in SunOS 5 -- Solaris) and svc.conf
(in ULTRIX), and Solaris retained the support via the special
nsswitch.conf passwd source "compat" (and the database "passwd_compat").

Some points about the common implementation of the passwd compat
(aka NIS) support activated by "+" (on systems such as SunOS 4,
Solaris, NetBSD, ...):

   (a)	The "+" must appear at the start of a line in /etc/passwd.
	The entry can be a single "+" or a complete /etc/passwd
	entry such as "+::::::"
	Other characters may appear after the "+".

	    *	"+" means use all users from the compat source
		(e.g, NIS).

	    *	"+foo" means use the info for user "foo" from the
		compat source at this point.

	    *	"+ at bar" means lookup the users from netgroup "bar"
		from the compat source and return those.
		Multiple lookups will return multiple results
		from the netgroup.

	    *	A non-empty value for other fields in a "+" entry
		(e.g, the shell being "/bin/false") causes the
		entry retreived from the compat source to have
		the field to be overridden with that value. 
		The passwd field may be an exception to this.

   (b)	Most systems support continue parsing /etc/passwd after
	parsing a compat "+" line and all its contents.

   (c)	nsswitch implementations support a "passwd_compat" database
	to change the source where the + lookups for "passwd" are
	E.g, nis, nisplus, dns (for HESIOD), ldap, winbind, ...
	Obviously you can't use "files" or "compat" as sources here.

   (d)	If a compat lookup (e.g, from NIS or winbind) returns
	a "+" in a name, even at the start of the line, the
	compat parsing code won't try to recursively perform
	a compat lookup.
	I.e, the "+" parsing code is only performed against
	/etc/passwd entries.
	I don't know if glibc does something different to this
	for this particular point.

/etc/group functions in a similar way, although at least NetBSD
doesn't support + at netgroup in /etc/group at this time.

(I wrote the nsswitch support in NetBSD many years ago, based
on observations of the SunOS 4, SunOS 5, ULTRIX, and Tru64
implementations, and FreeBSD now uses that nsswitch code as well.)

I hope that's useful,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050412/698fa53d/attachment.bin

More information about the samba-technical mailing list