Long machine names...

Jeremy Allison jallison at whistle.com
Thu May 21 19:25:19 GMT 1998

Tim Winders wrote:

> OK.  I have a NT machine named SUP2.  It has a machine account (trust
> account) called SUP2$ in private/smbpasswd.  Because of a bug in some
> administrative management software (Digital Internet Locker) the unix
> account sup2$ has been removed.  The trust account still exists in
> private/smbpasswd and the machine can still login to the domain.
> When does the need for a real unix account come into play?  When creating
> the initial trust account?  For future DC stuff?

You are correct in that at present none of the Samba
code actually uses the fact that the machine account
has an actual existance in the UNIX password file (that's
why it's working for you right now). Currently, the
requirement that the machine account have an existance
in the UNIX password database is to stop duplicate
uids being used by accident.

When NT clients connect to do 
DCE/RPC, they do so down
an annonymous connection (which is mapped in Samba
to the guest user), they then authenticate themselves 
by passing a machine name in the authentication
setup RPC. Currently there is no known RPC that causes
filesystem interaction down this pipe - but if there
is, or there was an RPC that required a level of permission
control on the UNIX system, then there needs to be a
UNIX uid we can use to determine access permissions.

Simply using the guest user might not do if it were
a machine specific restriction (for example).


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list