Can I kill... 'add user script' behaviour in adding users
during logon?
Simo Sorce
idra at samba.org
Fri May 17 07:44:02 GMT 2002
I agree, they must be separate and delete user script, must NOT be
called by the auth subsystem, it is too dangerous.
Simo.
On Fri, 2002-05-17 at 15:22, Andrew Bartlett wrote:
> The behavior of the 'add user script' smb.conf option is rather weird:
>
> It is documented as an option to the login parts of the protocol, and
> used to add users dynamically during the logon process, if they don't
> exist locally.
>
> However, it is also used in the SAMR code when an admin explicitly
> creates a user. This is
> actually the more natural use for the parameter, but it is unnaturally
> shared between the
> two areas.
>
> This 'dual use' causes problems - unexpected users being created etc.
>
> However, this is nothing compared to its evil twin:
>
> 'delete user script' runs when a user attempts to log in, but the PDC
> says that they don't exist. Firstly: does this really happen? If a
> user has to attempt to log in to trigger it, what exactly is the
> point... This also has rather nasty consequences, when the user does not
> exist on the PDC (normal local user etc), the script can fire. If the
> admin is not careful this can be quite nasty. While this is documented,
> it is still nasty.
>
> Whats more, all the PDC documentation refers to these options for their
> SAMR use, so as to
> create machine accounts on demand...
>
> Now both of these options are *too* easy to misconfigure, and they
> really don't fit well into the HEAD authenticiaon setup anyway.
>
> Could these be killed in the auth context? This would leave them as
> SAMR commands, for when
> users are really added to the system.
>
> If we still need the capability to add users to the system on a dynamic
> basis (this is really the job of winbind, but I digress) could we at
> least use a different option? Like 'dynamic login user add script'?
> Or keep these but rename the SAMR meanings?
>
> What do you think?
>
> Andrew Bartlett
>
> --
> Andrew Bartlett abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> Student Network Administrator, Hawker College abartlet at hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
>
--
Simo Sorce
----------
Una scelta di liberta': Software Libero.
A choice of freedom: Free Software.
http://www.softwarelibero.it
More information about the samba-technical
mailing list