X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; q=dns; s=
	default; b=QpXjOX5wb3T7fGD8/HIgJGRTC8E7quJtJZ9wvJso6JvuWChx7Nta5
	Xx4C4V3XjeLVRlSdQXd7rELR5wDGL0qR89EkvmfBcaaiIER4Inzuq9sjIUp53h+b
	JbSzLNXyuhzfU4xryd08K+WznMCOeH57SCYoQdznwtp+7J+Wj2MlsU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:references:mime-version:content-type:in-reply-to; s=default;
	 bh=ermJagoU3ZIbGy2EqR7Ji0YjdA8=; b=nnd1wlZS/iFL6POSbnMUSjd/6oxv
	2ETZEFNPneToo6TD7cVJIe/fna8pMOJuoqZtXGeViStZVyZmVSLwrEQZlgzUMjTp
	Ys7TaG9UlyHgcbx4DerjaJb4/3pIv23DccCldg62ERF7MW5u8u6airONoHkafO1j
	TPRV/Ra5xk7GDfU=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-6.0 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2
X-HELO: calimero.vinschen.de
Date: Fri, 7 Feb 2014 22:30:13 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: get rid of getpwent? (Was: cygwin-1.7.28 getpwent header declaration changes ?)
Message-ID: <20140207213013.GT2821@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <52F339CA DOT 5070305 AT gmail DOT com> <20140206090117 DOT GD2821 AT calimero DOT vinschen DOT de> <52F361C5 DOT 3000807 AT gmail DOT com> <20140206141321 DOT GI2821 AT calimero DOT vinschen DOT de> <52F40208 DOT 5030901 AT etr-usa DOT com> <20140207094917 DOT GN2821 AT calimero DOT vinschen DOT de> <52F53D7C DOT 5050201 AT etr-usa DOT com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;	protocol="application/pgp-signature"; boundary="hI0HXimLkvfVxAyB"
Content-Disposition: inline
In-Reply-To: <52F53D7C.5050201@etr-usa.com>
User-Agent: Mutt/1.5.21 (2010-09-15)

--hI0HXimLkvfVxAyB
Content-Type: multipart/mixed; boundary="15+E349fsei051WC"
Content-Disposition: inline


--15+E349fsei051WC
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Feb  7 13:09, Warren Young wrote:
> On 2/7/2014 02:49, Corinna Vinschen wrote:
> >On Feb  6 14:43, Warren Young wrote:
> >>On 2/6/2014 07:13, Corinna Vinschen wrote:
> >
> >it would, of course, be possible to implement Cygwin
> >command line tools along the lines of useradd/usermod/groupdel.  For AD,
> >they would just have to use LDAP,
>=20
> If by "use LDAP" you mean the ldap_* functions in the OpenLDAP
> library, I can't recommend it.  (See my other post on LDAP books.)

You can also use the calls from wldap32.dll which is available anyway.

> Such programs need not be portable.

Never said so.

> I don't see why such programs shouldn't be written straight to the
> Windows API, even though this is naughty on Cygwin.  The Win32
> security API fills the same role as libldap does on a Linux box
> configured for LDAP.

The underlying protocol is LDAP, so why not use it, given that lots of
changes to AD cannot be done using the "High Level" Net API anyway.

> You're right that such programs are probably going to be necessary,
> if Cygwin moves to SAM/AD as primary.  Windows Home edition user
> management probably won't be powerful enough to do what Cygwin
> needs, if SAM is Cygwin's Single Point of Truth on such systems.

Again, it isn't.  We will keep the passwd and group files for users
who are more comfortable with them.

We will also have an nsswitch.conf file for configuration.  I attached
my local sandbox version below.

> I want the mkpasswd and mkgroup utilities to remain available

They will, with slight changes.  The default values generated for
uid/gid numbers should preferredly reflect the automatism when reading
from SAM/AD.

> Corinna, an earlier post of yours suggested that /etc/foo was being
> kept as primary for speed reasons, but are you comparing to SAM or
> to AD? And have you tested it lately?

Did I really write something about speed?  I think SAM/AD will be mostly
quicker but they will be especially less hassle and allow centralized
maintainance, which is a real boon for admins.

Also, the new Cygwin will only read and cache the requested entries
from the passwd/group files, not the entire file.

Also, if it turns out that AD is too slow for some reason or in some
environment, we should consider to use cygserver as a centralized local
cache.  But this is something for later.


Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--15+E349fsei051WC
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="nsswitch.conf"

# /etc/nsswitch.conf
#
#    This file is read once by the first process in a Cygwin process tree.
#    To pick up changes, restart all Cygwin processes.
#
# passwd:
# group:
#
#    "files"	only use /etc/passwd or /etc/group file.
#    "db"	only use SAM/AD retrieval.
#    "files db"	both, files preferred.  This is the default.
#
#    "db files"	does not make any sense
#
passwd: files db
group:  files db
#
# Configuration of "db" style passwd/group handling:
#
# db_prefix:
#
#    "auto" 	If "auto", prepend domain to account name if the account
#		is not a member of the machine's primary domain.  Prepend
#		just the separator char if the account is a well-known
#		or builtin group.
#
#    "primary" 	"primary" is like "auto", but prepend domain to account name
#		as well, if the account is a member of the machine's primary
#		domain.
#
#    "always" 	If set to "always", always prepend domain, even for
#		well-known and builtin accounts.
#
db_prefix: auto
#
# db_cache:
#
#    "yes" 	If yes, cache once retrieved DB values in local process,
#		hand cache down to child processes.
#
#    "no"	If no, fetch passwd or group entries anew, every time an
#		entry is requested.  Default is "no".
#
db_cache: no
#
#  db_separator:
#
#		Set separator character between domain and account name to
#		the ASCII char X.  Default is '+'.
#
db_separator: +

--15+E349fsei051WC--

--hI0HXimLkvfVxAyB
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS9VBlAAoJEPU2Bp2uRE+g9HkP/A2gGzGd5cDmGyCtFdF4YPyM
e0dSGG4sSUJpR/C6CydoYgWP7oD6glgiF57NtH/vEOCled6lXK0wtrYQkczwP9sI
NvkaTfIeS8OPgj25P327ea2I09DpGz3ji4VCugkb193BDuyR9dAuXxUj5M+3XUZq
0uvkmghssgdK71ue5cuMjUmbKMH0m/Hv3vUP3fTeOs81p769/dU1VvqjUflTiHGP
X/h5f5nZ3I4o8Yi45TV4t1MEuDYSOKedZPz2WG0O0FV6n4XDLy7Lrt1m2wHzI5Kz
DFflgkZUuxBaCXSUiSYQrzgutnOFNP9v+yoSsNS+r64Osa/SVB5xJCRGG+jA/Kw7
EOk9dcJTo662/dFv1tuiReuGoumbIBSOHpUhMDlary1v8E7qbWu3iFyuMRiQ/UWE
6vQplbOWmllPYXm+74JCK5aqn7Q3PkC7EfkDnHCxarYeUioRuIUHXR5UMllnUFhD
I3nPBvqyWh6P4uR6BbAJqM+tVyLDMjAuMVQFu6ST+U6Bfp5aPhOiPuF7yRQq+1lP
FooyHnkSS9QpCXZAx/qD3M4nsKXG7xYzglf/cmLMhfypjjEB1gQTeSqdJmbt/6kk
+jnVP3ZgF9ZwALhs2QCEKytkDwRySxfJsz8r9ZpsXzO7+FmdgXeTfJS+VfAfjue8
GCmMUaLB+C/rR6SOdBhO
=Rosa
-----END PGP SIGNATURE-----

--hI0HXimLkvfVxAyB--