[Samba] Samba 4 "Trigger" when user is created???

Andrew Bartlett abartlet at samba.org
Fri Nov 14 16:25:13 MST 2014 

On Fri, 2014-11-14 at 14:17 -0800, Jeremy Allison wrote:
> On Fri, Nov 14, 2014 at 10:40:16PM +1300, Andrew Bartlett wrote:
> > On Wed, 2014-11-12 at 12:54 -0800, Greg Zartman wrote:
> > > I am working to deploy Samba4 on the SME Server:  A customized version of
> > > Centos with a web management GUI and configuration API.
> > > 
> > > One of the challenges we see is how we synchronize our SME Server
> > > configuration API with users who are created using tools outside of *nix.
> > > For example if a user were created using the windows administration tools.
> > > 
> > > Are there any triggers in Samba that could be set to let the system know a
> > > new user was created by tools other than those provided by Samba?
> > 
> > We do some things internally when a new user is created - the samldb
> > module is one of the (many) places we hook on, in our ldb module stack.
> > But yes, we don't call out to an external script any more.  We also have
> > to be a bit careful when doing so, as we would still be under the
> > transaction lock. 
> > 
> > I agree we can improve in this area.  We wouldn't match AD any more -
> > all the servers would have to be matching Samba servers - but we should
> > do better.  Ideally we would re-use the existing option, to keep things
> > consistent. 
> 
> Couldn't we just add the hook inside:
> 
> source4/rpc_server/samr/dcesrv_samr.c:dcesrv_samr_CreateUser2()
> 
> just before we return NT_STATUS_OK ?
> 
> That would be the old-school way to do it :-).

No, because that wouldn't catch anything (much) any more.  Most users
(and by default, all machine accounts) are created against AD via the
LDAP interface.

Additionally, we would have to make sure that anything that ran also
behaved correctly when operated from:
 - SAMR
 - LDAP
 - samba-tool
 - Direct LDB access
 - passdb-based tools (net, pdbedit, smbpasswd)
 - DRS Replication from another AD server (should this be triggered, or
not?)

As all would go via the same ldb module stack. 

Nothing impossible of course, just a bit more complex in the AD world.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list