SURS, machine accounts, etc... [wasRe: Inoltra: Re: Whymachines in passwd anyway?]

Simo Sorce simo.sorce at polimi.it
Mon Aug 28 15:05:32 GMT 2000


Peter Samuelson wrote:
> 
> [Adam Williams <awilliam at whitemice.org>]
> > I'm mostly just a lurker but I don't see how a search of /etc/passwd
> > (or nss at least) can be avoided.
> 
> For user accounts, yes, we need to look up the NSS entry.  But for NT
> domain trust accounts, IMHO, we do not.  And that's what we're talking
> about here, as Paul has said.  The trust account only needs to store
> three things [well, I may be simplifying a bit]: client name, password,
> and RID.  The first two are already in the smbpasswd file -- why not
> the third as well?
> 
> The notion of calculating the RID from the UID, as opposed to just
> putting a unique one in the smbpasswd store and always using *that*,
> has another potential problem.  What if we're a BDC?  In that case we
> don't have any control over the RID; we have to use what the PDC tells
> us.  Obviously we have to cache this value ... but where?  I don't know
> how Samba-TNG resolves this issue but to me the obvious place is the
> smbpasswd file, where all the other DC information is already.
> 
> Peter

This is only one of the points the arise from next BDC support, another
is the every day most wanted NT -> Samba migration.
If RID are stored in smbpasswd there's no problem, simply copy them from
the NT database, otherwise you are forced to change all the users RIDs,
clients permissions, ecc... = techincal nightmare in the migration path.
(This way I think we need to get out the special infomation in the least
significant bit of the RID and place them also in smbpasswd, trust the W
in acct field, having a smbgroup to have custom groups (Mapped in
/etc/group?) ).

The worst thing of having workstation accounts in passwd is platform
portability ($, name lenght,...) and administration nightmares, you need
to change all the script that control your passwd to take in account
existence of these particular accounts, you need to change the way you
get the number of real users of your system, password agings, account
expirations, ecc, ecc......



-- 
Simo Sorce - Integrazione Sistemi Unix/Windows - Politecnico di Milano
E-mail: simo.sorce at polimi.it
Tel.int: 02 2399 2425 - Fax.int. 02 2399 2451
-----------------------------------------------------------------
Be happy, use Linux!




More information about the samba-technical mailing list