From owner-freebsd-current Wed Nov 27 13: 6:38 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F61537B401 for ; Wed, 27 Nov 2002 13:06:36 -0800 (PST) Received: from leviathan.inethouston.net (leviathan.inethouston.net [66.64.12.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C4C943EB2 for ; Wed, 27 Nov 2002 13:06:36 -0800 (PST) (envelope-from dwcjr@inethouston.net) Received: by leviathan.inethouston.net (Postfix, from userid 1001) id 23E0410DE0C; Wed, 27 Nov 2002 15:06:40 -0600 (CST) Date: Wed, 27 Nov 2002 15:06:40 -0600 From: "David W. Chapman Jr." To: Terry Lambert Cc: "David W. Chapman Jr." , current@freebsd.org Subject: Re: pw_user.c change for samba Message-ID: <20021127210640.GA36331@leviathan.inethouston.net> Reply-To: "David W. Chapman Jr." Mail-Followup-To: Terry Lambert , "David W. Chapman Jr." , current@freebsd.org References: <20021127192126.GA31706@leviathan.inethouston.net> <3DE52B70.44402B98@mindspring.com> <20021127203401.GA35573@leviathan.inethouston.net> <3DE5315A.FC6D59B@mindspring.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3DE5315A.FC6D59B@mindspring.com> X-Operating-System: FreeBSD 4.6-STABLE i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > I gathered that from the SAMBA site, too. > > The '$' is a pain. None of the examples in the original post > would have worked, because the '$' was not '\$', and the shell > would have blown chunks over the "variable expansion". The patch I sent in works with "pw add user asdf$", but you may be right about scripts if the $ is at the beginning. > It seems to me that this could cause a great deal of problems > for scripts that process the password files, as they currently > exist, if they use constructs like "eval", or back-ticks, etc.. The problems are already being caused though. If one wants samba to work on NT/2K/XP they have to manually add these entries in now anyway. > If it's allowed, it whould probably only be allowed in the > user name (i.e. the patch is wrong; it should probably add > another parameter to the allowable values of 'int gecos', and > change it to 'int checktype' or similar). I don't have a problem with this, but the patch I sent in is the extent of my abilities to give me desired results(making pw like samba) > It seems to me that another alternative is that all these > names end in '$'; therefore, when you are expecting one of > these names, you could imply a '$', without needing to actually > have it in the password file -- in other words, it's an > attribute, not really part of the account name. > > Will this open up a security hole for a nomal user account > being used to compromise the domain system security? Is it > absolutely necessary to use an in-band method to distinguish > these records from ordinary user accounts? I don't think the samba people would be willing to make this type of change just for FreeBSD since it works for most everyone else. I also don't think there is currently a way to store attributes about machines/users permanently in samba. -- David W. Chapman Jr. dwcjr@inethouston.net Raintree Network Services, Inc. dwcjr@freebsd.org FreeBSD Committer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message