This is a discussion on Re: get_domain_user_groups() improvement. - Samba ; On Fri, 2004-09-24 at 20:13, Igor Belyi wrote: > Simo Sorce wrote: > > >On Thu, 2004-09-23 at 17:14, Igor Belyi wrote: > > > > > >>Just to clarify the idea - pushing _all_ NSS calls from common pdbpass ...
On Fri, 2004-09-24 at 20:13, Igor Belyi wrote:
> Simo Sorce wrote:
> >On Thu, 2004-09-23 at 17:14, Igor Belyi wrote:
> >>Just to clarify the idea - pushing _all_ NSS calls from common pdbpass
> >>functions into backends and letting ldapsam backend assume that UNIX
> >>accounts and groups are in traditianal LDAP objects while keeping all
> >>other backends to use NSS calls is the right approach. Is that correct?
> >no, sorry that is not correct.
> >There is always one account that do not obey that rule, that's root
> >(never seen anybody putting it into ldap, it is always in /etc/passwd).
> >And I've seen other environments that also use ldap only for samba user
> >part storage and not for unix user storage (no nss_ldap on the system).
> Then get_memberuids() is doomed. To get the list of all users whose
> primary group has a particular gid you need to either have their
> posixAccount in LDAP to allow filter to do the work or list all users
> via NSS as get_memberuids() function does now.
I know, that's why I told you to carefully think about the patch.
> And on related note - I thought that Samba do not use NSS calls to find
> root. To become root it just calls setreuid(0, 0). If you use user
> _named_ "root" to do Samba administration then Samba should have a way
> to authenticate you as the one. Now, if this administrative user is not
> in Samba user database, how Samba authenticate it?
It is, but you have only the sambaSamAccount part not the posixAccount
> Does Samba checks
> that user is not in its user database and then proceed with PAM (or
> whatever is in place) authentication?
> Does it do it only for
> administrative accounts (set with "admin users" or having uid=0) or for
> I'm still digging through the code but I'd appreciate if there's a
> short answer.
The short answer is reintroducing ldap trust ids param as abartlet
suggested, I think measuring pros and cons, that that's the better
approach for samba3 code base.
Simo Sorce - firstname.lastname@example.org
Samba Team - http://www.samba.org
Italian Site - http://samba.xsec.it