Gary Winiger wrote:
>>> | nsswitch.conf.4.txt | Modified nsswitch.conf(4) manpage |
>>> +---------------------+-----------------------------------+
>>>
>
>
>> Please provide them and I'll make a best effort to review
>> by the timer.
>>
>
> My concern is here in nsswitch.conf(4) functionality.
> From the provided it's not clear what the project is
> proposing.
>
This case basically allows any application using
get{pw,gr}{nam,uid,gid}() interfaces to resolve Windows users and group
names using native Active Directory schema. (nssad_details.txt, Section
6, Bullet 6 has the example).
> + When using Active Directory with native schema for name service,
> + the default configuration should be modified to use ad for
> + for passwd and group, dns for hosts resolution and files
> + for the remaining databases on client machines.
>
> What passwd:, group: entries are supported?
>
You can add "ad" to any of the existing valid passwd: and group: entries.
Examples:
passwd: files ad OR
passwd: files ldap ad
> In particular how are passwd(1), getauusernam(3), getuserattr(3)
> and possibly other interfaces affected.
>
passwd(1) is not supported for "ad". Probably that needs to be addressed
when we support Windows users to logon to Solaris which is beyond the
scope of this case. For now passwords of Active Directory users can be
changed using kpasswd(1) because AD users are Kerberos principals.
Currently AD does not have a native schema that can be mapped to Solaris
RBAC databases. Therefore RBAC databases won't be supported with "ad".
--Baban
> Gary..
> VIZ.
>
> Interaction with Password Aging
> When password aging is turned on, only a limited set of pos-
> sible name services are permitted for the passwd: database
> in the /etc/nsswitch.conf file:
>
> passwd: files
>
> passwd: files nis
>
> passwd: files nisplus
>
> passwd: files ldap
>
> passwd: compat
>
> passwd_compat: nisplus
>
> passwd_compat: ldap
>
> Any other settings will cause the passwd(1) command to fail
> when it attempts to change the password after expiration and
> will prevent the user from logging in. These are the only
> permitted settings when password aging has been turned on.
> Otherwise, you can work around incorrect passwd: lines by
> using the -r repository argument to the passwd(1) command
> and using passwd -r repository to override the nsswitch.conf
> settings and specify in which name service you want to
> modify your password.
>
> Interaction with +/- syntax
> Releases prior to SunOS 5.0 did not have the name service
> switch but did allow the user some policy control. In
> /etc/passwd one could have entries of the form +user
> (include the specified user from NIS passwd.byname), -user
> (exclude the specified user) and + (include everything,
> except excluded users, from NIS passwd.byname). The desired
> behavior was often everything in the file followed by every-
> thing in NIS, expressed by a solitary + at the end of
> /etc/passwd. The switch provides an alternative for this
> case (passwd: files nis) that does not require + entries in
> /etc/passwd and /etc/shadow (the latter is a new addition to
> SunOS 5.0, see shadow(4)).
>
> If this is not sufficient, the NIS/YP compatibility source
> provides full +/- semantics. It reads /etc/passwd for
> getpwnam(3C) functions and /etc/shadow for getspnam(3C)
> functions and, if it finds +/- entries, invokes an appropri-
> ate source. By default, the source is nis, but this may be
> overridden by specifying nisplus or ldap as the source for
> the pseudo-database passwd_compat.
>
> Note that in compat mode, for every /etc/passwd entry, there
> must be a corresponding entry in the /etc/shadow file.
>
> The NIS/YP compatibility source also provides full +/-
> semantics for group; the relevant pseudo-database is
> group_compat.
> _______________________________________________
> sparks-discuss mailing list
> sparks-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/sparks-discuss
>
