Date: Wed, 27 Nov 2002 15:06:40 -0600 From: "David W. Chapman Jr." <dwcjr@inethouston.net> To: Terry Lambert <tlambert2@mindspring.com> Cc: "David W. Chapman Jr." <dwcjr@inethouston.net>, current@freebsd.org Subject: Re: pw_user.c change for samba Message-ID: <20021127210640.GA36331@leviathan.inethouston.net> In-Reply-To: <3DE5315A.FC6D59B@mindspring.com> References: <20021127192126.GA31706@leviathan.inethouston.net> <3DE52B70.44402B98@mindspring.com> <20021127203401.GA35573@leviathan.inethouston.net> <3DE5315A.FC6D59B@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I gathered that from the SAMBA site, too. > > The '$' is a pain. None of the examples in the original post > would have worked, because the '$' was not '\$', and the shell > would have blown chunks over the "variable expansion". The patch I sent in works with "pw add user asdf$", but you may be right about scripts if the $ is at the beginning. > It seems to me that this could cause a great deal of problems > for scripts that process the password files, as they currently > exist, if they use constructs like "eval", or back-ticks, etc.. The problems are already being caused though. If one wants samba to work on NT/2K/XP they have to manually add these entries in now anyway. > If it's allowed, it whould probably only be allowed in the > user name (i.e. the patch is wrong; it should probably add > another parameter to the allowable values of 'int gecos', and > change it to 'int checktype' or similar). I don't have a problem with this, but the patch I sent in is the extent of my abilities to give me desired results(making pw like samba) > It seems to me that another alternative is that all these > names end in '$'; therefore, when you are expecting one of > these names, you could imply a '$', without needing to actually > have it in the password file -- in other words, it's an > attribute, not really part of the account name. > > Will this open up a security hole for a nomal user account > being used to compromise the domain system security? Is it > absolutely necessary to use an in-band method to distinguish > these records from ordinary user accounts? I don't think the samba people would be willing to make this type of change just for FreeBSD since it works for most everyone else. I also don't think there is currently a way to store attributes about machines/users permanently in samba. -- David W. Chapman Jr. dwcjr@inethouston.net Raintree Network Services, Inc. <www.inethouston.net> dwcjr@freebsd.org FreeBSD Committer <www.FreeBSD.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021127210640.GA36331>