RFC: Draft 2 of passdb redesign
Gerald Carter
gcarter at valinux.com
Fri Nov 10 17:18:01 GMT 2000
I'm including a full second draft here for
completeness sake. Sorry for taking up extra
bandwidth.
The two major changes are
- the removal of an opaque handle in preference
of a struct sam_passwd*
- the static memory area used by passdb search
functions.
--jerry
Problems
--------
o current samba code is filled by functions that half
use passdb backend and half use lp_..() defaults from
smb.conf
o two structure are used to represent an account entry.
smb_passwd {} and sam_passwd{}. These are used
inconsistently through the code. The major differences
exist between the rpc subsystem and normal file/print
serving operations. Jean-Francois has pointed out
2 other structures as possible canidates for removal
as well. I'm looking into this.
The Proposal
------------
o Introduction of new smb.conf parameter to specify the
shared library to be used for accessing account information.
passdb module path = <filemname>
o removeal of smb_passwd {} struct all together and
replacement of universal use of sam_passwd {} via an
opaque handle.
o removal of passdb_ops {} structure. This struct is for
defining a set of functions pointers which currently
implement the passdb API. This was previously needed
as passdb backend support was chosen at compile time.
This will be replaced by a well defined and documented
interface shared between the passdb API and the loadable
backend modules. More on this in a minute.
o Implement support for the following backends
- smbpasswd (file)
- TDBPWB (local DB)
- LDAP (using AD schema)
This means the experiemental NIS+ support
will be removed. I think the general stand on NIS+
is that it is dying (at least that is my opinion).
Advantages
----------
o experiement with shared libraries for future use relating
to MS-RPC pipe support
o a single interface allows a single tool to access/update
all passdb backends without recompiling. The same tool
can put from smbpasswd and push to LDAP.
o fewer compile time descisions (except on platforms
that do not support shared libraries of course).
o More flexibility. For example, you can use
include parameters to validate clear text logons
against /etc/passwd and encrypted logons against LDAP
from the same server.
note that the support of the current "migrate passwords"
needs some thought. I think I know how to do it, but
need some more time before posting a design. The main
problem is namespace conflicts when loading more than one
passdb module.
Proposed Interface
------------------
The concept of using an opaque handle has been replaced
with a pointer to a SAM_ACCOUNT struct where
typedef struct sam_passwd SAM_ACCOUNTl;
has been included in include/smb.h
The justification for this change is that it is more
consistent with existing Samba APIs (e.g. the
struct prs_struct data type and associated functions
in rpc_parse/parse_prs.c). And that it offers less
overhead in that we do not have to maintain a mapping of
handles to structures.
In this case, simple is better. :-)
Functions for manipulating sam_passwd struct (common to all
backends). Again, this is in keeping withthe philosphy that
smbd should be insulated from the sam_passwd internals.
pdb_get...(SAM_ACCOUNT *sampass);
pdb_set...(SAM_ACCOUNT *sampass, DATA data);
Backend storage access functions which must be implemented
by each passdb module
/*
Search Functions :
Each function returns a pointer to a static area
of memory (one for all functions, not one for each
function). This is done for effenciency. If the
caller wishes to maintain a copy of the SAM_ACCOUNT
struct across calls(), it must make of copy of the
struct returned.
*/
SAM_ACCOUNT* pdb_getsampwent ();
SAM_ACCOUNT* pdb_getsampwnam (char* username);
SAM_ACCOUNT* pdb_getsampwuid (uid_t uid);
SAM_ACCOUNT* pdb_getsampwrid (uint32 rid);
/*
* Storage Access Functions
*/
/* add a new acount*/
BOOL pdb_add_sam_account (SAM_ACCOUNT_HND *hnd);
/* update an account entry */
BOOL pdb_update_sam_account (SAM_ACCOUNT_HND *hnd);
/* delete an account entry */
BOOL pdb_delete_sam_account (SAM_ACCOUNT_HND *hnd);
Note that certain functions have been left out of
the interface (e.g. getsamdispnam()) as these are often
convienence functions and can easily be added to the basic
passdb.c general interface.
--
----------------------------------------------------------------------
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com/ VA Linux Systems gcarter at valinux.com
http://www.samba.org/ SAMBA Team jerry at samba.org
http://www.plainjoe.org/ jerry at plainjoe.org
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
More information about the samba-technical
mailing list