NUA for machine accounts

Andrew Bartlett abartlet at samba.org
Thu May 6 12:15:15 GMT 2004 

On Thu, 2004-05-06 at 21:34, Tom Alsberg wrote:
> If I understand correctly, NUA (No Unix Account) is gone from Samba
> 3.0 already.  (Any plans for it?  Idea for replacement?)

It was a bad idea - even machines 'log in' to the server, and need real
POSIX identities.

> However I don't want each workstation to have a Unix account (or a
> UID, for that matter).  Mapping them to user nobody in the simplest
> way breaks because then they all have the same SID as well.

Why not?  I really think that the 'cost' of a line in /etc/passwd (given
we are going to need the UID soon anyway) is not much.

Machines can log in, own files, and generally do everthing a user can
do.  In the NTLM world, the 'log in' bit is weird, but kerberos (and
some possible changes I want to make to Samba) make it a real thing.

> I want to do something, that will give all workstations the UID of
> nobody, (and no local Unix record) but give each a unique SID.
> Currently my idea is to look at the add account routines (in tdbsam)
> and modify them to look for a new available SID, and give that to the
> account.  That means some modifications in tdbsam, though, so I'm
> trying to avoid it.
> 
> How can I do it as cleanly as possible in my external passdb module?
> 
> The principal question is - since the add_sam_account gets an already
> filled structure, it will probably break if I change the SID there
> (something previous would have already assumed a different SID), so
> where should the change be?

Really, just don't play with this.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040506/85e880d7/attachment.bin

More information about the samba-technical mailing list