Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Nov 2002 15:06:40 -0600
From:      "David W. Chapman Jr." <dwcjr@inethouston.net>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        "David W. Chapman Jr." <dwcjr@inethouston.net>, current@freebsd.org
Subject:   Re: pw_user.c change for samba
Message-ID:  <20021127210640.GA36331@leviathan.inethouston.net>
In-Reply-To: <3DE5315A.FC6D59B@mindspring.com>
References:  <20021127192126.GA31706@leviathan.inethouston.net> <3DE52B70.44402B98@mindspring.com> <20021127203401.GA35573@leviathan.inethouston.net> <3DE5315A.FC6D59B@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> I gathered that from the SAMBA site, too.
> 
> The '$' is a pain.  None of the examples in the original post
> would have worked, because the '$' was not '\$', and the shell
> would have blown chunks over the "variable expansion".

The patch I sent in works with "pw add user asdf$", but you may be 
right about scripts if the $ is at the beginning.

> It seems to me that this could cause a great deal of problems
> for scripts that process the password files, as they currently
> exist, if they use constructs like "eval", or back-ticks, etc..

The problems are already being caused though.  If one wants samba to 
work on NT/2K/XP they have to manually add these entries in now 
anyway.

> If it's allowed, it whould probably only be allowed in the
> user name (i.e. the patch is wrong; it should probably add
> another parameter to the allowable values of 'int gecos', and
> change it to 'int checktype' or similar).

I don't have a problem with this, but the patch I sent in is the 
extent of my abilities to give me desired results(making pw like 
samba) 

> It seems to me that another alternative is that all these
> names end in '$'; therefore, when you are expecting one of
> these names, you could imply a '$', without needing to actually
> have it in the password file -- in other words, it's an
> attribute, not really part of the account name.
> 
> Will this open up a security hole for a nomal user account
> being used to compromise the domain system security?  Is it
> absolutely necessary to use an in-band method to distinguish
> these records from ordinary user accounts?

I don't think the samba people would be willing to make this type of 
change just for FreeBSD since it works for most everyone else.  I 
also don't think there is currently a way to store attributes about 
machines/users permanently in samba.

-- 
David W. Chapman Jr.
dwcjr@inethouston.net	Raintree Network Services, Inc. <www.inethouston.net>
dwcjr@freebsd.org	FreeBSD Committer <www.FreeBSD.org>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021127210640.GA36331>