RFC: Draft 2 of passdb redesign

Gerald Carter gcarter at valinux.com
Fri Nov 10 17:18:01 GMT 2000 

I'm including a full second draft here for 
completeness sake.  Sorry for taking up extra 
bandwidth.   

The two major changes are 

  - the removal of an opaque handle in preference 
    of a struct sam_passwd*
  - the static memory area used by passdb search 
    functions.


--jerry


Problems
--------
  o current samba code is filled by functions that half
    use passdb backend and half use lp_..() defaults from
    smb.conf

  o two structure are used to represent an account entry.
    smb_passwd {} and sam_passwd{}.  These are used 
    inconsistently through the code.  The major differences 
    exist between the rpc subsystem and normal file/print 
    serving operations.  Jean-Francois has pointed out
    2 other structures as possible canidates for removal
    as well.  I'm looking into this.


The Proposal
------------

  o Introduction of new smb.conf parameter to specify the
    shared library to be used for accessing account information.

        passdb module path = <filemname>

  o removeal of smb_passwd {} struct all together and 
    replacement of universal use of sam_passwd {} via an 
    opaque handle.

  o removal of passdb_ops {} structure.  This struct is for
    defining a set of functions pointers which currently 
    implement the passdb API.  This was previously needed
    as passdb backend support was chosen at compile time.
    This will be replaced by a well defined and documented
    interface shared between the passdb API and the loadable
    backend modules.  More on this in a minute.

  o Implement support for the following backends

      - smbpasswd       (file)
      - TDBPWB          (local DB)
      - LDAP            (using AD schema)

    This means the experiemental NIS+ support  
    will be removed.  I think the general stand on NIS+
    is that it is dying (at least that is my opinion).


Advantages
----------

  o experiement with shared libraries for future use relating 
    to MS-RPC pipe support

  o a single interface allows a single tool to access/update
    all passdb backends without recompiling.  The same tool
    can put from smbpasswd and push to LDAP.

  o fewer compile time descisions (except on platforms 
    that do not support shared libraries of course).

  o More flexibility. For example, you can use 
    include parameters to validate clear text logons 
    against /etc/passwd and encrypted logons against LDAP
    from the same server.

note that the support of the current "migrate passwords" 
needs some thought.  I think I know how to do it, but 
need some more time before posting a design.  The main 
problem is namespace conflicts when loading more than one
passdb module.


Proposed Interface
------------------

The concept of using an opaque handle has been replaced
with a pointer to a SAM_ACCOUNT struct where

	typedef struct sam_passwd SAM_ACCOUNTl;

has been included in include/smb.h

The justification for this change is that it is more
consistent with existing Samba APIs (e.g. the 
struct prs_struct data type and associated functions
in rpc_parse/parse_prs.c).  And that it offers less 
overhead in that we do not have to maintain a mapping of
handles to structures.

In this case, simple is better. :-)

Functions for manipulating sam_passwd struct (common to all
backends).  Again, this is in keeping withthe philosphy that
smbd should be insulated from the sam_passwd internals.

   pdb_get...(SAM_ACCOUNT *sampass);
   pdb_set...(SAM_ACCOUNT *sampass, DATA data);

Backend storage access functions which must be implemented
by each passdb module

   /* 
      Search Functions :

      Each function returns a pointer to a static area
      of memory (one for all functions, not one for each 
      function).  This is done for effenciency.  If the 
      caller wishes to maintain a copy of the SAM_ACCOUNT
      struct across calls(), it must make of copy of the
      struct returned.
   */
   SAM_ACCOUNT* pdb_getsampwent ();
   SAM_ACCOUNT* pdb_getsampwnam (char* username);
   SAM_ACCOUNT* pdb_getsampwuid (uid_t uid);
   SAM_ACCOUNT* pdb_getsampwrid (uint32 rid);


   /* 
    * Storage Access Functions
    */

   /* add a new acount*/
   BOOL pdb_add_sam_account (SAM_ACCOUNT_HND *hnd);
   /* update an account entry */
   BOOL pdb_update_sam_account (SAM_ACCOUNT_HND *hnd);
   /* delete an account entry */
   BOOL pdb_delete_sam_account (SAM_ACCOUNT_HND *hnd);

  

Note that certain functions have been left out of 
the interface (e.g. getsamdispnam()) as these are often 
convienence functions and can easily be added to the basic
passdb.c general interface.




-- 
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list