NUA for machine accounts

Tom Alsberg alsbergt at cs.huji.ac.il
Thu May 6 17:51:41 GMT 2004 

On Thu, May 06, 2004 at 10:15:15PM +1000, Andrew Bartlett wrote:
> On Thu, 2004-05-06 at 21:34, Tom Alsberg wrote:
> > If I understand correctly, NUA (No Unix Account) is gone from Samba
> > 3.0 already.  (Any plans for it?  Idea for replacement?)
> 
> It was a bad idea - even machines 'log in' to the server,

I understand that technically they do (not sure exactly how, though) 
- but I wasn't sure in what sense, except with regard to the domain 
stuff...

Can you give more information/examples?  As in, how does a machine
log in to the domain, what it is useful for, how does it look 
Windows-wise?

Generally, I have some ideas in my mind on how it could be used, but
would like to know more, and understand that stuff better.

> and need real POSIX identities.

Why, actually?  Machines can own files, yes...  But say it wouldn't
really happen (in our deployment, I see not why it should).  Couldn't 
it be somehow disabled in the configuration (so that machines 
couldn't take ownership of files)?

> > However I don't want each workstation to have a Unix account (or a
> > UID, for that matter).  Mapping them to user nobody in the simplest
> > way breaks because then they all have the same SID as well.
> 
> Why not?  I really think that the 'cost' of a line in /etc/passwd (given
> we are going to need the UID soon anyway) is not much.

Why are we really going to need that UID?  I mean, it might have uses,
but is it really needed for normal usage?

I'm sorry that I'm "arguing" about it - I don't mean to.  I just want
to understand more.

Anyway, the cost is:

  Firstly, the Samba server is a (not-completely - it has local data 
in /var) diskless machine - and shouldn't have /etc modified (we can 
change files in /etc of some diskless computers from the central 
server, but files just written to /etc would go away on reboot, and 
would need to be somehow preserved in another way), so we need to 
have the machine Unix account information stored some other way (NSS, 
or modify sys_getpwnam).  Right now we have some ugly system that 
really puts them in /etc/passwd and also notifies the server to copy 
passwd to the diskless configuration of that machine.

  Secondly, I just don't like the idea of polluting the Unix user 
namespace (which is overall site global, but even if we put the 
machine accounts locally in the Samba server, the UIDs cannot be UIDs 
which already exist in the global database).  I would do it if I have 
to, but I want to understand more...

  Thirdly, there are only about 65535 UIDs...  Theoretically there
can be more machines than UIDs left for use (although this isn't the
condition here right now - we have about 4000 users, 700 computers, 
out of which only about 100 run Windows).

> Machines can log in, own files, and generally do everthing a user can
> do.  In the NTLM world, the 'log in' bit is weird,

What is it?  Is a domain member machine "logging in" to the domain
on startup?

> but kerberos (and some possible changes I want to make to Samba) 
> make it a real thing.

But what would a machine do when logged in?  What causes a machine
to log in?

> Really, just don't play with this.

Well, I'm trying to mess as little as possible with the internals of
Samba, but if that'd be possible without much trouble, I'd like to
know the implications...

Some info for matters:

In our intended deployment, all machines are alike (with regard to
the Samba server), no one has any special rights or different access
(we implement access control in the authentication module, using the
same custom scheme that we use for Unix authorization - machine or
machine group has the list of users (and groups of users) who may log 
in to it, but that's irrelevant here).  Actually, if it would be possible,
there would be no need to authenticate to join the domain at all, 
everybody being able to join the domain and the server just accepting 
anyone.  Also no administration or password changing is done from 
Windows (we don't trust Windows - users should use Unix).

> Andrew Bartlett

  Thanks for the reply, sorry again for trying to go the "wrong" way,
  -- Tom

-- 
  Tom Alsberg - hacker (being the best description fitting this space)
  Web page:	http://www.cs.huji.ac.il/~alsbergt/
DISCLAIMER:  The above message does not even necessarily represent what
my fingers have typed on the keyboard, save anything further.

More information about the samba-technical mailing list