Darren J Moffat wrote:
> Gary Winiger wrote:
>>> Jarrett Lu wrote:
>>>> In the DMZ example, it's correct that user identity can be centrally
>>>> administered in
>>>> an LDAP database. However, passwd files need not be shared by all
>>>> zones. In
>>>> fact each zone can have its own copy of passwd file so that the zone
>>>> admin can
>>>> administer users on per zone bases.
>>> Do we document how to do that though ? Since by default getpwnam
>>> will use nscd and given that the door points to the global zone one
>>> the local /etc/passwd file never gets consulted.
>>
>> Hummm, is something different here, I thought getXbyY in each labeled
>> zone would follow nsswitch.conf and go to nscd (global zone only)
>> only for name services. Is nscd involved with files lookups?
>
> If an app calls getpwnam in a labeled zone, the nsswitch would call on
> nscd, if nscd is running we never look at local files.
>
> nscd will cache of for files, nis, nisplus, ldap.
>
Yes, but passwdutil has to call specific name services during
authentication (fgetpwent) so a user will be authenticated using the
zone's files. After auth we will need data from nscd when running
pam_unix_account, etc.
I believe it was our intention that the zones all be synchronized with
regards to general naming and normal users exist only in ldap. With
files a user could probably have different and/or locked passwords in
some zones within their accreditation range but their g-z password is
all they need to get to all their zones via X,
-Will
