Long machine names...
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Thu May 21 17:45:52 GMT 1998
On Thu, 21 May 1998, Tim Winders wrote:
> On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote:
>
> > > > 1) use a mangling system
> > > > 2) map all $ accounts to "nobody"
> > >
> > > Why is #2 "nasty".
> >
> > it destroys jeremy's wish to see all NT accounts with an equivalent unix
> > account.
>
> Well, I don't see how this can ever happen with a maximum possible machine
> name of 16 characters...
>
> > the "map username" (or map trust accounts to guest) can be seriously
> > abused...
>
> OK, we are talking ONLY about machine names here. In an NT domain, what
> EXACTLY are machine names use for?
please refer to them as "trust accounts". it will help you understand
what they are.
> I thought (on NT) you could only JOIN
> the domain if the machine already has an account
(a trust account)
> in the domain.
correct. actually, if you type in the admin user/pass, you can get a
workstation trust account created _at_ the time you attempt to join the
domain. not yet possible with samba, so you manually add using "smbpasswd
-a -m machine_name".
> After
> that, all the trusts etc are handled by the DC. IF this is the case, what
> does it matter if we map machine names to nobody,
IMHO, not really, as _long_ as the underlying database maintains a unique
RID for each account (including trust accounts).
this is where jeremy really wants unix accounts to be created on a
per-workstation basis, so that a monotonic mapping can be maintained
between unix uid and NT rid.
More information about the samba-technical
mailing list