On Mon, 2003-03-31 at 10:10, Gerald (Jerry) Carter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 31 Mar 2003, Andrew Bartlett wrote: > > > > Unixsam was a useful hack and a bad idea. Most of what it was trying > > > to do it couldn't really do, and will be replaced by idmap. I had > > > wanted all rid->uid translations to go via the passdb. However, we > > > still have to map uid->rid for 'non-existant' accounts, so the > > > fallback code never got removed, and having unixsam just confused > > > things (particularly when we were running winbindd too). > > > > > > It also broke a pile of conventions about the relationship between > > > unix and Samba accounts, as you correctly note. > > > > Guestsam is in there to provide the only useful thing unixsam did - > > ensuring that the guest account really was the guest, and had the guest > > RID. It also helped with some Win2k behavior that assumed the presence > > of the guest account. > > Could you update smb.conf(5) to this effect? Thanks.
Sure. > Should unixsam support be removed altogether so people can't > break their servers by listing it in the passdb backends? Hmm... Possibly. On a system that has all authentication otherwise redirected, it might have some value, but that's marginal. It's only current value is in sid->name and name->sid translations. My intention is to separate the sid->name issue into another layer, much in the same way that the idmap is being split off. That way we can do the simple sid->name mapping for 'unix' users, but don't commit to having a full passdb record for them. I'll have to see how this impacts on things like domain joins however. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
