Why machines in passwd anyway? [was Re: NT machine accounts in FreeBSD?]

Peter Samuelson peter at cadcamlab.org
Fri Aug 11 21:59:06 GMT 2000


[Simo Sorce <simo.sorce at polimi.it>]
> So we need a centralized point to store NT users/machines, rihgt?
> what about smbpasswd/ldap?

My point exactly.  The way I interpret Elrond's response: "fine, sounds 
good, where's your patch?"  In other words, it's not worth changing
unless someone volunteers....

> Do we really need a Unix user for trust-accounts?
> Do anything related to trust account need a Unix user?

No, but from the NT perspective, a list of users is expected to include
all the trust accounts.  That means the Samba function for enumerating
users needs to enumerate trust accounts as well.

Here's my ideal world:

* "encryption = no" --> this means there are no trust accounts to worry
  about.  Keep the status quo, use libc/NSS, pull RIDs out of thin air.

* "encryption = yes" --> look up the main structure in smbpasswd.  This
  structure includes a RID assigned (randomly or algorithmicly) by the
  `smbpasswd' program when the entry was created.

* user enumeration is done entirely from smbpasswd (or its replacements 
  like ldap).  This may get a little messy when the client wants to
  know about home directories and you're feeding them from NIS+, but by
  that time you aren't talking about trust accounts anyway.

* anyone who needs the UID uses a separate lookup function sid2uid or
  whatever (I think this part is already in place, actually) and only
  *then* do you bother with
  - username map
  - getpwnam and friends
  - groups
  Then this information is cached by the sid2uid function somehow.

I think, on the whole, this would be more efficient as well as
eliminate the pesky machine$-in-/etc/passwd problem.

Unfortunately it also means a fair amount of coding, in what some
consider the armpit of the Samba source, passdb/*.  Coding by someone
who cares enough about this stuff to do it.  Which Elrond doesn't,
because he has more important things to do to help stabilize Samba.
(After all, the status quo *does* work, it's just a little annoying for
the administrator.)

Peter


More information about the samba-ntdom mailing list