Ubuntu
samba package

Samba should be more selective when importing accounts

Bug #721514 reported by Etienne Goyer
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Binary package hint: samba

The Samba postinst maintainer script systematically import all account with uid >= 1000. This is so that user account and such have corresponding Samba account. In most case, this is a good thing and make. However, where the machine has been configured with a network directory as the source of user account (ie, using nss_ldap), this may not be desirable. Especially if the network directory host a large number of user accounts, this could be very wasteful.

The behavior of the account import is preseedable with the samba/generate_smbpasswd debconf template. This is good, but it's an either/or proposition.

Perhaps it would be better if we where only importing local users (those listed in /etc/passwd)? We could do that by specifying the compat service to getent ("-s compat") in the samba.postinst maintainer script, such as:

if [ "${GENERATE_SMBPASSWD}" = "true" -a ! -e /var/lib/samba/passdb.tdb -a ! -e /etc/samba/smbpasswd ]; then
        getent -s compat passwd | mksmbpasswd > /etc/samba/smbpasswd
        pdbedit -i smbpasswd -e tdbsam -d 0
        rm /etc/samba/smbpasswd
fi

I guess the implication owuld need to be considered, and the first thing is to decide whether there is a good reason to import the non-local account in Samba.

Revision history for this message
Chuck Short (zulcss) wrote :

Good point ill take this under consideration.

chuck

Changed in samba (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Uwe Menges (uwe-menges) wrote :

I just hit the same situation. The solution described (with "getent -s compat passwd") wouldn't work there because they actually have "passwd: compat" in /etc/nsswitch.conf and a "+::::::" line in /etc/passwd. The smbpasswd was already 2MiB large as I killed the import process.

Can you please un-automate / unbundle the "import accounts" task from the "software installation" task? I just want to install samba, please. Nothing more.

If I want to import remote users locally, I can do after installation. If I want to connect samba to Active Directory, I *must* do it after installation.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.