Posix/Samba: the accounts managements
Aurélien Degrémont
adegremont at idealx.com
Fri Oct 31 16:27:35 GMT 2003
Hi,
After testing Samba 3 with LDAPSAM, i noted that some problems were
present, due to the Samba behaviour concerning the managements of the
system accounts.
In the Samba SAMR API, when modifications are needed, Samba will first
try to modify the Unix(Posix) accounts and then the Samba Accounts and
this is quite problematic.
The main problem appeared when LDAPSAM is used with NSSLDAP. In this
case, the unix accounts are stored inside the ldap directory as
PosixAccounts(structural) and Samba Accounts are stored in the same
directory as sambaSamAccounts (auxiliary).
So, when deleting accounts, Samba calls external scripts that will
delete the unix account. These scripts will try to remove the
posixAccount before the sambaSAMAccount and LDAP doesn't like that :).
Samba is built over the system and maps Samba accounts over the system
accounts. So Samba is the highest-level layer, and, when modifying
something, the modification must always be done from the highest layer
to the lowest layer. Isn't it ?
So, i think it will be a good thing to change this behaviour, inverting
the modifications and putting the Samba modifications before the unix
modifications. This will correct problems with the external script calls
that often appeared during Samba installations.
Waiting for your comments...
Aurélien
More information about the samba-technical
mailing list