Long machine names...

Luke Kenneth Casson Leighton lkcl at switchboard.net
Thu May 21 17:45:52 GMT 1998

On Thu, 21 May 1998, Tim Winders wrote:

> On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote:
> > > > 1) use a mangling system
> > > > 2) map all $ accounts to "nobody"
> > > 
> > > Why is #2 "nasty".
> > 
> > it destroys jeremy's wish to see all NT accounts with an equivalent unix
> > account.
> Well, I don't see how this can ever happen with a maximum possible machine
> name of 16 characters...
> > the "map username" (or map trust accounts to guest) can be seriously
> > abused...
> OK, we are talking ONLY about machine names here.  In an NT domain, what
> EXACTLY are machine names use for?

please refer to them as "trust accounts".  it will help you understand
what they are.

>  I thought (on NT) you could only JOIN
> the domain if the machine already has an account

(a trust account)

> in the domain.

correct.  actually, if you type in the admin user/pass, you can get a
workstation trust account created _at_ the time you attempt to join the
domain.  not yet possible with samba, so you manually add using "smbpasswd
-a -m machine_name".

>  After
> that, all the trusts etc are handled by the DC.  IF this is the case, what
> does it matter if we map machine names to nobody,

IMHO, not really, as _long_ as the underlying database maintains a unique
RID for each account (including trust accounts).

this is where jeremy really wants unix accounts to be created on a
per-workstation basis, so that a monotonic mapping can be maintained
between unix uid and NT rid.

More information about the samba-technical mailing list