"add machine script" [was Re: Can I kill 'restrict anonymous'?]

Andrew Bartlett abartlet at pcug.org.au
Sun Nov 11 23:09:10 GMT 2001

"Gerald (Jerry) Carter" wrote:
> On Mon, 12 Nov 2001, Andrew Bartlett wrote:
> > Simple, reasonable paramaters.  Allow flexablity, but don't have muliple
> > paramaters that only produce the desired effect in combination.  Also
> > remove non-sensical paramaters.  (Restrict anonymous that did no such
> > thing).
> What you see as flexible.  I see as bloat.  I'm sure that "read
> only/writeable/writable" was seen as flexible to start off with.
> Our smb.conf man page is ~130 pages in length.  Why add another parameter
> for something we can already do?
> > Sorry, not my quote.  My 'server role' indeed makes the situation *less*
> > complex and does indeed 'dumb down' samba, in the way we want.
> Still not convinced. Sorry.  Besides adding the "auth order" (whic I agree
> is a new feature we need), I fail to see how "server role" allows me to do
> something I can't already do.

There is a case, see below, but the idea here to make the transformation
between admin intent -> smb.conf -> smbd/nmbd action more transparent
and straightforward.

Compiling your own C code doesn't do anything much you couldn't do with
a lot of assembler does it?  But I'll argue its a bit easier to follow.

> Am I being thick headed?  The "server role" parameter seems like a
> gratuitous change.  Given your description, you have taken two boolean
> parameters and replaced them with one parameter accepting a descreet
> list of enums.  All for what?  Sorry Andrew B.  I don't see any gain
> here.

Partly because the table was incomplete (you asked for both, I only gave
one, sorry).  That was the mapping from server role to domain
master/domain logons.  This is the current mapping from domain master,
domain logons and security = to the various roles (which are already in

  Domain Master    Domain Logons      Security
      Y                  Y             USER     = PDC
      N                  N             DOMAIN   = BDC
      N                  N             SERVER   = BDC
      N                  N             DOMAIN   = DOMAIN MEM
      N                  N             USER     = STANDALONE
      *                  *             SHARE    =

I think this covers most of it.

Now you see the problem.  I'm not even sure how Volker does his BDC
stuff with this arrangement, because all the BDCs (reading what they see
as their local SAM, via LDAP) would declare 'I am a PDC', because I have
local SAM.

If we then decide that the issue of local/remote sam is indeterminate to
the rest of samba, then we are left without the foggiest as to what the
heck we are.

Other than that, complete this sentence:

My Samba server is a ......

Your options are:

Domain master and a logon server with local sam
logon server but not domain master with domain/server password checking
server with domain password checking
server that is neither domain master nor domain logons and has a local
(the oddball case) Domain master but not a logon server

member server
DMB (yes, this is oddball)

I think that it is simpler to say that (for the common case) my server
is a 'PDC' or a 'Domain member' than to say some of the other things. 
These can be used to hang sane defaults for other parameters, and to
remove parameters where the only functional configuration is the only
defined by the role in the first place.  (I'm thinking domain master and
domain logons here).

I hope this makes sense,

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list