password API needed

Luke Kenneth Casson Leighton lkcl at
Fri May 8 14:00:04 GMT 1998

On Fri, 8 May 1998, Jean-Francois Micouleau wrote:

> On Fri, 8 May 1998, Luke Kenneth Casson Leighton wrote:
> > in your ldap code, you make the distinction between a "machine" account
> > and a "user" account.  can you remove this distinction?  machine acounts
> > _are_ user accounts, and "machine" accounts is a misleading name: they are
> > actually a subset of trust accounts.  therefore, can we refer to them as
> > "trust" accounts from now? 
> I know you don't want to make a distinction between users and machines.

there is no distinction, as far as NT 3.5 / 4.0 accounts are concerned: we
don't have to like it.

hm.  thinks.

thinks some more.

ok, leave it as-is, but rename to "trust" account not "machine" account.
there's no such thing as a "machine" account.

> > the uint16 acct_ctrl member, when the ACB_WKSTRUST bit is set, correctly
> > and uniquely identifies the account as a workstation trust account. 
> That's faster to look at only users or trust accounts in ldap and that's
> the same for SQL for example.

trust accounts should probably therefore be stored in a separate schema.
> > there just happens to be an additional (redundant but "visual-in-text") 
> > method to identify a trust account: it ends with $. 
> BTW having two distinct object classes is more 'NT5 compliant' in an LDAP
> point of view.

what does NT 5 do with respect to trust accounts?

More information about the samba-technical mailing list