[Samba] NSS and machine accounts (was: vampire fails...)

Andrew Bartlett abartlet at samba.org
Fri Nov 26 04:09:44 GMT 2004

On Fri, 2004-11-26 at 14:46 +1100, tom burkart wrote:
> On Nov 24, John H Terpstra wrote:
> > You are completely correct that Samba can do an LDAP lookup to get user and
> > group ID information, but that is not the issue. How do you propose to
> > resolve IDs within the OS if not through NSS?
> Ok, I still have difficulties with this one.
> Why is it necessary for all and every *nix application to be able to 
> get information about machine accounts as well as the obvious actual 
> users?  I can see and understand why for the normal users but why machine 
> accounts?  Shouldn't that be something that samba quietly looks up and 
> makes no fuss about.  Why else would we need to provide a ldap 
> user/group/machine suffix in the smb.conf?  This is probably where I got 
> the mistaken notion of separating them out and then it didn't work without 
> modifying the nss configuration.

Machines have accounts, and act as posix users with those accounts.  In
particular, machines in ADS domains really do *log in and access files*
as these users.  Furthermore, the RIDs allocated to these machines are
directly related to posix UID and GID values, so the machines need to
'take up' the posix side of the mapping, even if they were never to log

So, the idea that I had with 'user/group/machine' suffix in LDAP came
not from where to search for users, but where to add new users/machines
etc.  They don't really have the same function any more, because other
changes were made that mean that the posix attributes must be added
first, with the script.  However, that's the history.

At my site, I do have machines well separated from users, and there is
*nothing* wrong with that.  I have a single ldap suffix
(dc=hawkerc,dc=net for what it's worth), and ou values under that.  The
search will search over unrelated data but as it won't find a match,
it's not an issue.  (Some sites may find the performance issues with
this a problem, but I would look at the index config first).

Andrew Bartlett

Andrew Bartlett <abartlet at samba.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20041126/26c5f7ad/attachment.bin

More information about the samba mailing list