[Samba] Joining a domain controller with a conflict name
jon at sutinen.com
Thu Apr 14 06:40:59 GMT 2005
Tom Skeren wrote:
> Andrew Bartlett wrote:
>> On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote:
>>> Did you mean that "Yes", there is a way to prevent joining a domain
>>> using another server name or did you mean "Yes" that IT must make sure
>>> the name is unique and no computer with this name is already part of
>>> this domain when joining a domain.
>> This is the sole responsibility of the IT department. Like windows,
>> Samba will use the name it is given.
>> It is not possible to reliably determine the difference between a
>> machine that is rejoining the domain (say after catastrophic hardware
>> failure, or simply an failure in the trust account) and a duplicate
>> machine, elsewhere in the domain.
> True. However, if a machine named say SA1 is up and connected, and
> another SA1 shows up, a network error should occur. Especially if a
> WINS server is up.
Again, this is the responsibility of the network administrator. That's
why a password is required to join a domain, so those who don't know the
password (read: your users) can't mess up your network. As an
administrator, it's your responsibility to make sure that a network name
conflict does not occur, by knowing if there's a machine with THAT NAME
on the network already.
In a purely Windows world, a naming conflict will be detected on the
network as soon as the second machine boots up. You'll get a message on
screen to the effect of "another computer with this name exists on the
network." Since Samba works a little differently, you won't see a
message like this unless you look in the logs (and your logging is set
to an appropriate level).
This brings to mind two ideas for improving Samba:
- As part of its startup routine, Samba should check to see if there are
any naming conflicts and refuse to start if there are (returning an
error to the console so you know WHY it's not starting). Of course, if
the other machine with that name is presently not on the network, no
error would occur. An option could be added to allow operation where
naming conflicts could occur, though the use of this option would be
- As part of the 'net join' routine, Samba should check to see if the
domain controller already has an account by that computer name, and if
so, present a warning and a prompt to continue. ('A computer account
with the name SAMBA already exists in the domain ABMAS. Replace account?
(y/n) [n]') This would give Samba (even more) functionality that Windows
doesn't do, and the administrator a sanity check before screwing
something up. The default behaviour (if the admin just hits enter)
should be to either re-ask the question, or assume "no" and not replace
the account. If the answer is "no" then an error stating failure to join
the domain should appear.
Sutinen Consulting, Inc.
More information about the samba