Active Directory name service module (nss_ad) [PSARC/2008/441 FastTrack timeout 07/18/2008]

Gary Winiger gww at eng.sun.com
Wed Jul 16 14:14:22 PDT 2008 

> >    | nsswitch.conf.4.txt | Modified nsswitch.conf(4) manpage |
> >    +---------------------+-----------------------------------+

> 	Please provide them and I'll make a best effort to review
> 	by the timer.

	My concern is here in nsswitch.conf(4) functionality.
	From the provided it's not clear what the project is
	proposing.

	+     When using Active Directory with native schema for name service,
	+     the default configuration should be modified to use ad for
	+     for passwd and group, dns for hosts resolution and files
	+     for the remaining databases on client machines.

	What passwd:, group: entries are supported?
	In particular how are passwd(1), getauusernam(3), getuserattr(3)
	and possibly other interfaces affected.

Gary..
VIZ.

   Interaction with Password Aging
       When password aging is turned on, only a limited set of pos-
       sible  name  services are permitted for the passwd: database
       in the /etc/nsswitch.conf file:

       passwd:           files
       
       passwd:           files nis
       
       passwd:           files nisplus
       
       passwd:           files ldap
       
       passwd:           compat
       
       passwd_compat:    nisplus
       
       passwd_compat:    ldap
       
       Any other settings will cause the passwd(1) command to  fail
       when it attempts to change the password after expiration and
       will prevent the user from logging in. These  are  the  only
       permitted  settings  when password aging has been turned on.
       Otherwise, you can work around incorrect  passwd:  lines  by
       using  the  -r  repository argument to the passwd(1) command
       and using passwd -r repository to override the nsswitch.conf
       settings  and  specify  in  which  name  service you want to
       modify your password.

    Interaction with +/- syntax
	Releases prior to SunOS 5.0 did not have  the  name  service
	switch  but  did  allow  the  user  some  policy control. In
	/etc/passwd  one  could  have  entries  of  the  form  +user
	(include  the  specified user from NIS passwd.byname), -user
	(exclude the specified  user)  and  +  (include  everything,
	except  excluded users, from NIS passwd.byname). The desired
	behavior was often everything in the file followed by every-
	thing  in  NIS,  expressed  by  a  solitary  + at the end of
	/etc/passwd. The switch provides  an  alternative  for  this
	case  (passwd: files nis) that does not require + entries in
	/etc/passwd and /etc/shadow (the latter is a new addition to
	SunOS 5.0, see shadow(4)).
	
	If this is not sufficient, the NIS/YP  compatibility  source
	provides  full  +/-  semantics.  It  reads  /etc/passwd  for
	getpwnam(3C)  functions  and  /etc/shadow  for  getspnam(3C)
	functions and, if it finds +/- entries, invokes an appropri-
	ate source. By default, the source is nis, but this  may  be
	overridden  by  specifying nisplus or ldap as the source for
	the pseudo-database passwd_compat.
	
	Note that in compat mode, for every /etc/passwd entry, there
	must be a corresponding entry in the /etc/shadow file.
	
	The NIS/YP  compatibility  source  also  provides  full  +/-
	semantics   for   group;  the  relevant  pseudo-database  is
	group_compat.

More information about the opensolaris-arc mailing list