Why machines in passwd anyway? [was Re: NT machine accounts in FreeBSD?]

Elrond elrond at samba.org
Wed Aug 9 15:03:03 GMT 2000


In theory, all this is right (more or less).

But: Workstations are supposed to turn up in "enumusers"
(list all users in a domain), and various other places,
where normal users are also managed.

The problem is now: If we want those things to not turn up
in /etc/passwd (or equivalent), all this stuff has to be
generated virtualy. This means, that listing all users
isn't like "call the appropiate function of the current
smbpasswd-backend", but either the trust-accounts have to
be added after that call, or that call has to be rewritten
to generate virtual users. And these calls also tell the
uid. And in case of trust-accounts, we wouldn't have one!

So unless someone wants to spend the time to investigate
this properly and write a patch, this wont happen soon,
because the current appraoch is much more cleaner.
At least from the developers point of view.
I've to admit, that I also was a little upset, when I had
to enter machine names into my local /etc/passwd on my pdc.
("They (m*) force me to do crazy stuff... I shouldn't tell
any of the unix-admins, what I'm doing currently..." ;-))


    Elrond


On Wed, Aug 09, 2000 at 12:11:56PM +1000, Peter Samuelson wrote:
> 
> [Jerry Carter]
> > This is a good idea I think.  Luke's original idea left open the
> > possibility of actually storing information in the home directory of
> > a machine trust account.  This will never happen I think.
> 
> Ew, I don't like the sound of that....
> 
> > With the above proposed scheme, the only naging detail is to make
> > sure that the above number space will not overlap with any of the
> > RID's generated for user uid's.
> 
> Maybe you will accuse me of resurrecting SURS, but I don't see why the
> RID can't be just assigned once and then stored in the smbpasswd file
> (or tdb, or SURS table, or whatever).  This goes for both trust
> accounts and user accounts, exactly like NT does.  (Not that that's a
> reason to do it!)
> 
> This will only fail for `encryption=no'.  And that isn't an issue when
> you have machine trust accounts in the picture anyway.
> 
> Peter


More information about the samba-ntdom mailing list