No nua for Samba-3.0rc1?

Andrew Bartlett abartlet at samba.org
Sat Aug 30 23:39:50 GMT 2003 

On Sat, 2003-08-30 at 23:47, Tom Alsberg wrote:
> On Thu, Aug 28, 2003 at 12:49:08PM -0500, Gerald (Jerry) Carter wrote:
> > > <snip />
> > > Correct. No NUA for Users. NUA still works for machine accounts.
> 
> Well, I am actually interested in machine accounts for this matter.
> 
> > not really John.  The support is the same for both users 
> > and machine accounts.  Every entity has to have a unix account
> > retreiveable via getpwnam().
> 
> Why is this so now?

Because the idmap code (which allowed us to delay UID allocation,
potentially forever) is no longer used for local accounts (including
machines).

> > To answer the original question.  the XXX_nua passdb backends 
> > were all removed.
> 
> I suppose there is a reason they were removed.  Anyway, is it related
> to some change in Samba somewhere else, or can I add sort of NUA 
> functionality to my passdb backend and it'll work?

They were removed when their functionality was rolled into idmap.  Then
idmap was rolled-back to just remote accounts.   A couple of developers
(including myself) are interested in taking this concept forward again -
however time pressures mean that this certainly won't happen
particularly soon (and even then, this is an issue for past the 3.0
release).

> Does Samba actually do anything (run any code) as the UID of 
> machines?  

Potentially it could, in the future.  As we start to move towards active
directory, we will need to support this feature for genuine file
access.  (Because machines can log in with kerberos).  Much sooner, we
are going to need to face this for machines that log in with schannel.

> Could I generally just be able to give all machines the 
> same UID (say, that of nobody), (of course, taking care that they get 
> unique SIDs/domain RIDs) and this way not have to give machines 
> system accounts?  That's really the functionality I'm looking for.  I 
> do not want to complicate matters with accounts for machines when 
> they don't really need anything.

Because a machine (like any SID) may potentially own files, they need to
be represented by a real UID.  Having a one-to-many UID->SID mapping is
just looking for trouble - we have too much code that assumes this is
symmetric.

> I am pretty against creating accounts and removing them on the fly 
> (actually I am not interested in administration from Windows either, 
> but that's something different - not really "on the fly" per se).
> Where does Samba need those accounts - what would happen if they just 
> didn't really exist?

The current process allows their creation and removal without touching
/etc/passwd, if that helps.  At some point, the account must be created
- there is interest in creating it in our passdb, and simply making that
sufficient for the entire system (exporting the passdb to nsswitch). -
but whatever you do, we must create the account.  (Again, such an export
is a post-3.0 thing).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030830/58b991c1/attachment.bin

More information about the samba-technical mailing list