Posix/Samba: the accounts managements

Aurélien Degrémont adegremont at idealx.com
Fri Oct 31 16:27:35 GMT 2003


After testing Samba 3 with LDAPSAM, i noted that some problems were 
present, due to the Samba behaviour concerning the managements of the 
system accounts.
In the Samba SAMR API, when modifications are needed, Samba will first 
try to modify the Unix(Posix) accounts and then the Samba Accounts and 
this is quite problematic.

The main problem appeared when LDAPSAM is used with NSSLDAP. In this 
case, the unix accounts are stored inside the ldap directory as 
PosixAccounts(structural) and Samba Accounts are stored in the same 
directory as sambaSamAccounts (auxiliary).
So, when deleting accounts, Samba calls external scripts that will 
delete the unix account. These scripts will try to remove the 
posixAccount before the sambaSAMAccount and LDAP doesn't like that :).

Samba is built over the system and maps Samba accounts over the system 
accounts. So Samba is the highest-level layer, and, when modifying 
something, the modification must always be done from the highest layer 
to the lowest layer. Isn't it ?

So, i think it will be a good thing to change this behaviour, inverting 
the modifications and putting the Samba modifications before the unix 
modifications. This will correct problems with the external script calls 
that often appeared during Samba installations.

Waiting for your comments...


More information about the samba-technical mailing list