[Samba] Re: Can I kill... 'add user script' behaviour in adding users during logon?

Simo Sorce idra at samba.org
Fri May 17 07:44:15 GMT 2002 

I agree, they must be separate and delete user script, must NOT be
called by the auth subsystem, it is too dangerous.

Simo.

On Fri, 2002-05-17 at 15:22, Andrew Bartlett wrote:
> The behavior of the 'add user script' smb.conf option is rather weird:
> 
> It is documented as an option to the login parts of the protocol, and
> used to add users dynamically during the logon process, if they don't
> exist locally.
> 
> However, it is also used in the SAMR code when an admin explicitly
> creates a user.  This is
> actually the more natural use for the parameter, but it is unnaturally
> shared between the
> two areas.
> 
> This 'dual use' causes problems - unexpected users being created etc.  
> 
> However, this is nothing compared to its evil twin:
> 
> 'delete user script' runs when a user attempts to log in, but the PDC
> says that they don't exist.  Firstly:  does this really happen?  If a
> user has to attempt to log in to trigger it, what exactly is the
> point... This also has rather nasty consequences, when the user does not
> exist on the PDC (normal local user etc), the script can fire.  If the
> admin is not careful this can be quite nasty.  While this is documented,
> it is still nasty.
> 
> Whats more, all the PDC documentation refers to these options for their
> SAMR use, so as to 
> create machine accounts on demand...  
> 
> Now both of these options are *too* easy to misconfigure, and they
> really don't fit well into the HEAD authenticiaon setup anyway.
> 
> Could these be killed in the auth context?  This would leave them as
> SAMR commands, for when 
> users are really added to the system.
> 
> If we still need the capability to add users to the system on a dynamic
> basis (this is really the job of winbind, but I digress) could we at
> least use a different option?    Like 'dynamic login user add script'? 
> Or keep these but rename the SAMR meanings?
> 
> What do you think?
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
> 
-- 
Simo Sorce
----------
Una scelta di liberta': Software Libero.
A choice of freedom: Free Software.
http://www.softwarelibero.it

More information about the samba mailing list