storing our machine account name in secrets.tdb

Andrew Bartlett abartlet at samba.org
Tue Mar 13 23:09:02 GMT 2007 

On Tue, 2007-03-13 at 11:47 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Volker Lendecke wrote:
> > On Tue, Mar 13, 2007 at 12:16:46PM -0400, simo wrote:
> >> Great!
> >> I really like this.
> >> Any plan to return a warning if the netbios name is different?
> >> Or do you just want to decouple winbindd from the main samba
> >> configuration ?
> > 
> > I want to decouple all operations that need to access our
> > machine account in one way or the other (auth2, krb
> > operations, machine pw changes) from global_myname(). Using
> > global_myname() in these places is just wrong from my point
> > of view.
> 
> Volker,  Are you sure this is worth it?  I mean a
> dhcp client that doesn't specify its name in smb.conf
> is just broken in my opinion.  I consider this more
> of a configuration error and covering over it might
> cause more pain that is fixes.
> 
> I mean all systems I can think Linux or otherwise
> allow you to decouple the hostname from the DHCP
> address and name.

I was going to agree with Volker's suggestion, as I think I implemented
it this way in Samba4, but this is a very important point.  Particularly
given the NTLMv2 implications (which is just a lovely way to get subtly
broken), having one hostname in secrets.tdb and another for everything
else is asking for pain, unless it's main purpose it as a warning.

That said, I've never liked mixing our hostname with the account name,
and breaking that assumption on the server side was one of the key steps
towards supporting incoming domain trusts, quite a few years ago.

We get similar issues in clusters, where there is the problem that
individual nodes have hostnames, but the client thinks they are talking
to a single name. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070314/bf13e8e0/attachment.bin

More information about the samba-technical mailing list