Why machines in passwd anyway? [was Re: NT machine accounts in FreeBSD?]

Simo Sorce simo.sorce at polimi.it
Thu Aug 10 13:30:34 GMT 2000 

Elrond wrote:
> 
> In theory, all this is right (more or less).
> 
> But: Workstations are supposed to turn up in "enumusers"
> (list all users in a domain), and various other places,
> where normal users are also managed.

So we need a centralized point to store NT users/machines, rihgt?
what about smbpasswd/ldap?
> 
> The problem is now: If we want those things to not turn up
> in /etc/passwd (or equivalent), all this stuff has to be
> generated virtualy. This means, that listing all users
> isn't like "call the appropiate function of the current
> smbpasswd-backend", but either the trust-accounts have to
> be added after that call, or that call has to be rewritten
> to generate virtual users. And these calls also tell the
> uid. And in case of trust-accounts, we wouldn't have one!

Do we really need a Unix user for trust-accounts?
Do anything related to trust account need a Unix user?

> 
> So unless someone wants to spend the time to investigate
> this properly and write a patch, this wont happen soon,
> because the current appraoch is much more cleaner.
> At least from the developers point of view.
> I've to admit, that I also was a little upset, when I had
> to enter machine names into my local /etc/passwd on my pdc.
> ("They (m*) force me to do crazy stuff... I shouldn't tell
> any of the unix-admins, what I'm doing currently..." ;-))

Many problems with users administration, administration scripts and so
on....

Would it be so difficult to watch at that workstation bit in smbpasswd
to know we are talking of workstation account and no passwd lookup is
needed.
are RID 16bit wide or more?
Can't we simply reserve 0xFFFFF000 to 0xFFFFFFFF 32bit UID to samba
workstation numbers?
I think 4096 workstation may be enough :)

Or better is really that difficult to generate once the SID/RID and
store them in smbpasswd/ldap ?

> 
>     Elrond
> 
> On Wed, Aug 09, 2000 at 12:11:56PM +1000, Peter Samuelson wrote:
> >
> > [Jerry Carter]
> > > This is a good idea I think.  Luke's original idea left open the
> > > possibility of actually storing information in the home directory of
> > > a machine trust account.  This will never happen I think.
> >
> > Ew, I don't like the sound of that....
> >
> > > With the above proposed scheme, the only naging detail is to make
> > > sure that the above number space will not overlap with any of the
> > > RID's generated for user uid's.
> >
> > Maybe you will accuse me of resurrecting SURS, but I don't see why the
> > RID can't be just assigned once and then stored in the smbpasswd file
> > (or tdb, or SURS table, or whatever).  This goes for both trust
> > accounts and user accounts, exactly like NT does.  (Not that that's a
> > reason to do it!)
> >
> > This will only fail for `encryption=no'.  And that isn't an issue when
> > you have machine trust accounts in the picture anyway.
> >
> > Peter

-- 
Simo Sorce - Integrazione Sistemi Unix/Windows - Politecnico di Milano
E-mail: simo.sorce at polimi.it
Tel.int: 02 2399 2425 - Fax.int. 02 2399 2451
-----------------------------------------------------------------
Be happy, use Linux!

More information about the samba-ntdom mailing list