From owner-freebsd-current@FreeBSD.ORG Mon Jul 17 11:58:57 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 586E116A4DF for ; Mon, 17 Jul 2006 11:58:57 +0000 (UTC) (envelope-from frode@nordahl.net) Received: from smtp1.powertech.no (smtp1.powertech.no [195.159.0.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12E5643D73 for ; Mon, 17 Jul 2006 11:58:53 +0000 (GMT) (envelope-from frode@nordahl.net) Received: from [195.159.6.24] (ws24.ns5.powertech.no [195.159.6.24]) by smtp1.powertech.no (Postfix) with ESMTP id EDD7681B6; Mon, 17 Jul 2006 13:58:51 +0200 (CEST) In-Reply-To: <20060528173242.GC16530@katherina.student.utwente.nl> References: <20060528173242.GC16530@katherina.student.utwente.nl> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <9AB75EDF-A550-4823-B1F6-CA8AFFBC6821@nordahl.net> Content-Transfer-Encoding: 7bit From: Frode Nordahl Date: Mon, 17 Jul 2006 13:58:58 +0200 To: Matthijs Kooijman X-Mailer: Apple Mail (2.752.2) Cc: freebsd-current@freebsd.org Subject: Re: FreeBSD nss, getgroupmembership(3) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 11:58:57 -0000 On 28. mai. 2006, at 19.32, Matthijs Kooijman wrote: > I've been playing around with this issue myself as well. I want to > support > nested groups through winbind, which is supported through > winbind_getgrouplist, but not through getgrent... Great to see some more interest in it! :-) I am about to go live with a system with a significant number of users ( > 1 million), and have just disabled group lookups for now. >> By coincidence I found that NetBSD has created the infrastructure >> needed to make this a reallity allready! In NetBSD getgrouplist(3) is >> now a front-end for getgroupmembership(3). > I just found this one too. I'm not sure how widespread the > implementation of > getgroupmembership is, though. I know nss_winbind does not > implement it, but > does implement initgroups_dyn. From your post I think nss_ldap does > this also. Most NSS modules come from Linux / GLIBC, and thus match their implementations. Since this does not exist in FreeBSD yet, I would first look to the other BSDs and try to match their implementation. Since FreeBSD's nss comes from NetBSD I think it is pretty obvious that we want to import new features from them, and not from GNU Libc. :-) However, NSS is a large beast reaching into many central parts of libc, and great care must be taken to not break anything when importing new code. Last I looked it seemed like NetBSD's NSS code had moved along quit a bit, and I don't know if it is common practice to backport specific functionality, or to just do a new import? >> Is there any chance for FreeBSD to get an updated import of NSS from >> NetBSD anytime soon? :-) > Due to the (possibly) limited support of getgroupmembership in nss > backends, > it might be better to use initgroups_dyn instead? No, I would rather let BSD NSS be BSD NSS and implement a compability layer for initgroups_dyn :-) See /usr/src/lib/libc/net/nss_compat.c and bsdnss.c in nectar's nss_ldap port. > Anyway, I've spent some words on this issue on my blog [1], if anyones > interested. I'm planning on trying to make this work on FreeBSD > sometime soon. > But, since I only have FreeBSD 6.0 machines to play around with > (possibly 6.1 > soon), I will probably code up a patch for 6.0. Have there been big > changes to > nss since then that might make this a useless idea? New code should generally be patches againts -CURRENT, but I don't think this is a part of the source tree that is changed very often. I would at least have a look at the files you plan on changing from - CURRENT so you can know that the world as you know it is not about to be changed / replaced :) Frode Nordahl frode@nordahl.net