Re: status of unixsam and guest passdb backends?
On Mon, 2003-03-31 at 18:52, Alexander Bokovoy wrote: > On Mon, Mar 31, 2003 at 10:23:16AM +1000, Andrew Bartlett wrote: > > > > Guestsam is in there to provide the only useful thing unixsam did - > > > > ensuring that the guest account really was the guest, and had the guest > > > > RID. It also helped with some Win2k behavior that assumed the presence > > > > of the guest account. > > > > > > Could you update smb.conf(5) to this effect? Thanks. > > Sure. > Andrew, also put your changes into new smb.conf(5) doc in HEAD > (docs/docbook/smbdotconf/) so that data wouldn't be unsychronized. I'm > expecting to finish HEAD conversion to Docbook XML late this week. I was wondering about that... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: status of unixsam and guest passdb backends?
On Mon, Mar 31, 2003 at 10:23:16AM +1000, Andrew Bartlett wrote: > > > Guestsam is in there to provide the only useful thing unixsam did - > > > ensuring that the guest account really was the guest, and had the guest > > > RID. It also helped with some Win2k behavior that assumed the presence > > > of the guest account. > > > > Could you update smb.conf(5) to this effect? Thanks. > Sure. Andrew, also put your changes into new smb.conf(5) doc in HEAD (docs/docbook/smbdotconf/) so that data wouldn't be unsychronized. I'm expecting to finish HEAD conversion to Docbook XML late this week. -- / Alexander Bokovoy --- "You know, of course, that the Tasmanians, who never committed adultery, are now extinct." - M. Somerset Maugham
Re: status of unixsam and guest passdb backends?
On Mon, 2003-03-31 at 10:10, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 31 Mar 2003, Andrew Bartlett wrote: > > > > Unixsam was a useful hack and a bad idea. Most of what it was trying > > > to do it couldn't really do, and will be replaced by idmap. I had > > > wanted all rid->uid translations to go via the passdb. However, we > > > still have to map uid->rid for 'non-existant' accounts, so the > > > fallback code never got removed, and having unixsam just confused > > > things (particularly when we were running winbindd too). > > > > > > It also broke a pile of conventions about the relationship between > > > unix and Samba accounts, as you correctly note. > > > > Guestsam is in there to provide the only useful thing unixsam did - > > ensuring that the guest account really was the guest, and had the guest > > RID. It also helped with some Win2k behavior that assumed the presence > > of the guest account. > > Could you update smb.conf(5) to this effect? Thanks. Sure. > Should unixsam support be removed altogether so people can't > break their servers by listing it in the passdb backends? Hmm... Possibly. On a system that has all authentication otherwise redirected, it might have some value, but that's marginal. It's only current value is in sid->name and name->sid translations. My intention is to separate the sid->name issue into another layer, much in the same way that the idmap is being split off. That way we can do the simple sid->name mapping for 'unix' users, but don't commit to having a full passdb record for them. I'll have to see how this impacts on things like domain joins however. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: status of unixsam and guest passdb backends?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 31 Mar 2003, Andrew Bartlett wrote: > > Unixsam was a useful hack and a bad idea. Most of what it was trying > > to do it couldn't really do, and will be replaced by idmap. I had > > wanted all rid->uid translations to go via the passdb. However, we > > still have to map uid->rid for 'non-existant' accounts, so the > > fallback code never got removed, and having unixsam just confused > > things (particularly when we were running winbindd too). > > > > It also broke a pile of conventions about the relationship between > > unix and Samba accounts, as you correctly note. > > Guestsam is in there to provide the only useful thing unixsam did - > ensuring that the guest account really was the guest, and had the guest > RID. It also helped with some Win2k behavior that assumed the presence > of the guest account. Could you update smb.conf(5) to this effect? Thanks. Should unixsam support be removed altogether so people can't break their servers by listing it in the passdb backends? cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+h4eCIR7qMdg1EfYRAktRAKDf+1/gZTwnuV+PAaYCj+pnihWZNgCdE7+U XeN14E1wNJRj6Lo2Uk1KYRI= =6ky/ -END PGP SIGNATURE-
Re: status of unixsam and guest passdb backends?
On Mon, 2003-03-31 at 09:48, Andrew Bartlett wrote: > On Mon, 2003-03-31 at 08:48, Gerald (Jerry) Carter wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Andrew, > > > > I notice that the default for the passdb backend parameter has been > > changed in SAMBA_3_0/HEAD, but the man page has not been updated. > > Since it was "passdb backend = unixsam" that was breaking > > 'smbpasswd -a', I'm wondering is unixsam even useful anymore? > > Maybe for a clear text password server > > Unixsam was a useful hack and a bad idea. Most of what it was trying to > do it couldn't really do, and will be replaced by idmap. I had wanted > all rid->uid translations to go via the passdb. However, we still have > to map uid->rid for 'non-existant' accounts, so the fallback code never > got removed, and having unixsam just confused things (particularly when > we were running winbindd too). > > It also broke a pile of conventions about the relationship between unix > and Samba accounts, as you correctly note. Guestsam is in there to provide the only useful thing unixsam did - ensuring that the guest account really was the guest, and had the guest RID. It also helped with some Win2k behavior that assumed the presence of the guest account. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: status of unixsam and guest passdb backends?
On Mon, 2003-03-31 at 08:48, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andrew, > > I notice that the default for the passdb backend parameter has been > changed in SAMBA_3_0/HEAD, but the man page has not been updated. > Since it was "passdb backend = unixsam" that was breaking > 'smbpasswd -a', I'm wondering is unixsam even useful anymore? > Maybe for a clear text password server Unixsam was a useful hack and a bad idea. Most of what it was trying to do it couldn't really do, and will be replaced by idmap. I had wanted all rid->uid translations to go via the passdb. However, we still have to map uid->rid for 'non-existant' accounts, so the fallback code never got removed, and having unixsam just confused things (particularly when we were running winbindd too). It also broke a pile of conventions about the relationship between unix and Samba accounts, as you correctly note. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part