Andrew Bartlett wrote:
I mean typically services are not allowed to run as root, but apparently Samba must so Samba is configured to do so if the site needs Samba. In exactly the same way, as an example only, auto bind for root might be often mapped to some administrative user in the directory, but clearly that would not be desirable if one wanted Samba to run on the machine. Options would then be: don't configure root as anything other than anonymous, or, if that was not acceptable, configure samba to use LDAP, not LDAPI, or configure samba to have root OS privilege, but make use of the autobind feature that allows to more finely distinguish between OS users with the same uid and have Samba identified by its own unique entry with its own unique security context. None of those options involve an #ifdef vendor or even the slightest whiff of a branch in your code.On Thu, 2007-02-22 at 18:18 -0800, Pete Rowley wrote:Andrew Bartlett wrote:Your if vendor code would be zero. Presumably Samba would be enabled with access in line with its operational requirements. Bearing in mind that Samba runs as root, it is likely to find that any machine it is installed on has anonymous access for root, just like it is allowed to actually run as root.And where OpenLDAP has done something first, or it's way of doing things is more sane, I ask that Fedora DS follow that lead. I need less, not more 'if <vendor>' code...I'm not quite sure what you mean here,
It certainly seems an odd default.
Agreed, but that is moot at this point. -- Pete
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
