Gary Winiger wrote:
>>> My concern is here in nsswitch.conf(4) functionality.
>>> From the provided it's not clear what the project is
>>> proposing.
>>>
>> This case basically allows any application using
>> get{pw,gr}{nam,uid,gid}() interfaces to resolve Windows users and group
>> names using native Active Directory schema. (nssad_details.txt, Section
>> 6, Bullet 6 has the example).
>>
>>> + When using Active Directory with native schema for name service,
>>> + the default configuration should be modified to use ad for
>>> + for passwd and group, dns for hosts resolution and files
>>> + for the remaining databases on client machines.
>>>
>>> What passwd:, group: entries are supported?
>>>
>> You can add "ad" to any of the existing valid passwd: and group: entries.
>> Examples:
>> passwd: files ad OR
>> passwd: files ldap ad
>>
>>> In particular how are passwd(1), getauusernam(3), getuserattr(3)
>>> and possibly other interfaces affected.
>>>
>> passwd(1) is not supported for "ad". Probably that needs to be addressed
>
> So this project intends to modify the architecure of passwd(1)
> where is keeps in sync a user's password across password repositories.
> It further seems to add a 3rd name service repository where
> in the past only two were implicitly supported.
>
> For those name services databases that follow the passwd:
> entry, audit_user(4) and user_attr(4) in particular will
> there be any issues in lookup? If not found in the first or
> second entry, will the (now third) be processed?
>
> Will getpwnam type stuff function like:
> passwd: files ldap ad
> And getauusernam() and getuserattr() function like:
> passwd: files ldap [NOTFOUND=return] ad
along the same lines, nsswitch.conf(4) states in NOTES section:
.....
The use of both nis and nisplus as sources for the same
database is strongly discouraged since both the name ser-
vices are expected to store similar information and the
lookups on the database may yield different results depend-
ing on which name service is operational at the time of the
request. The same applies for using ldap along with nis or
nisplus.
....
These sentences probably need to mention ad repository somehow as well.
>
> IMO, it is important to understand this and ensure that users
> of nss_ad are correctly informed.
need for Solaris Admin guide update with this case ?
Also, I understand that Windows logons are out of scope. However:
- I don't see it mentioned in the provided man pages and this shall be
somewhere in the public documentation IMO (man pages and/or Admin guide)
- it's said in the case that 'sp_pwdp will be "*NP*"' ? will this
prevent Windows logons or does our PAM stack/modules need to take this
into account ? e.g., what if one answers the login prompt with
myuser at addomain, which presumably would get resolved by
getpwnam/getspnam ? what's the expected behavior ?
Serge
>
> Gary..
> _______________________________________________
> sparks-discuss mailing list
> sparks-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/sparks-discuss
