Why machines in passwd anyway? [was Re: NT machine accounts in FreeBSD?]

Simo Sorce sorce at mail.polimi.it
Mon Aug 14 16:15:26 GMT 2000


Quota Peter Samuelson <peter at cadcamlab.org>:

> 
> [Simo Sorce <simo.sorce at polimi.it>]
> > So we need a centralized point to store NT
users/machines, rihgt?
> > what about smbpasswd/ldap?
> 
> My point exactly.  The way I interpret Elrond's
response: "fine, sounds 
> good, where's your patch?"  In other words, it's not
worth changing
> unless someone volunteers....
> 
> > Do we really need a Unix user for trust-accounts?
> > Do anything related to trust account need a Unix
user?
> 
> No, but from the NT perspective, a list of users is
expected to include
> all the trust accounts.  That means the Samba function
for enumerating
> users needs to enumerate trust accounts as well.
> 
> Here's my ideal world:
> 
> * "encryption = no" --> this means there are no trust
accounts to worry
>   about.  Keep the status quo, use libc/NSS, pull RIDs
out of thin air.
> 
> * "encryption = yes" --> look up the main structure in
smbpasswd.  This
>   structure includes a RID assigned (randomly or
algorithmicly) by the
>   `smbpasswd' program when the entry was created.
> 
> * user enumeration is done entirely from smbpasswd (or
its replacements 
>   like ldap).  This may get a little messy when the
client wants to
>   know about home directories and you're feeding them
from NIS+, but by
>   that time you aren't talking about trust accounts
anyway.
> 
> * anyone who needs the UID uses a separate lookup
function sid2uid or
>   whatever (I think this part is already in place,
actually) and only
>   *then* do you bother with
>   - username map
>   - getpwnam and friends
>   - groups
>   Then this information is cached by the sid2uid
function somehow.
> 
> I think, on the whole, this would be more efficient as
well as
> eliminate the pesky machine$-in-/etc/passwd problem.
> 
> Unfortunately it also means a fair amount of coding,
in what some
> consider the armpit of the Samba source, passdb/*. 
Coding by someone
> who cares enough about this stuff to do it.  Which
Elrond doesn't,
> because he has more important things to do to help
stabilize Samba.
> (After all, the status quo *does* work, it's just a
little annoying for
> the administrator.)
> 
> Peter
> 

OK, here is my patch to strip out workstation accounts
from passwd.

It, works for me (Linux-Samba PDC <-> NT4-SP5)
Anyone want to test it??

Feedback, really welcome!

Simo.

-- 
   Simo Sorce - Integrazione Sistemi Unix/Windows -
Politecnico di Milano
   E-mail: simo.sorce at polimi.it
   Tel.int: 02 2399 2425 - Fax.int. 02 2399 2451
  
-----------------------------------------------------------------
   Be happy, use Linux!


More information about the samba-ntdom mailing list