[Samba] Joining a domain controller with a conflict name

Jonathan Johnson jon at sutinen.com
Thu Apr 14 06:40:59 GMT 2005 

Tom Skeren wrote:

> Andrew Bartlett wrote:
>
>> On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote:
>>
>>> Did you mean that "Yes", there is a way to prevent joining a domain 
>>> with
>>> using  another server name or did you mean "Yes" that IT must make sure
>>> the name is unique and no computer with this name is already part of
>>> this domain when joining a domain.
>>
>> This is the sole responsibility of the IT department.  Like windows,
>> Samba will use the name it is given.
>>
>> It is not possible to reliably determine the difference between a
>> machine that is rejoining the domain (say after catastrophic hardware
>> failure, or simply an failure in the trust account) and a duplicate
>> machine, elsewhere in the domain.   
>
> True.  However, if a machine named say SA1 is up and connected, and 
> another SA1 shows up, a network error should occur.  Especially if  a 
> WINS server is up.

Again, this is the responsibility of the network administrator. That's 
why a password is required to join a domain, so those who don't know the 
password (read: your users) can't mess up your network. As an 
administrator, it's your responsibility to make sure that a network name 
conflict does not occur, by knowing if there's a machine with THAT NAME 
on the network already.

In a purely Windows world, a naming conflict will be detected on the 
network as soon as the second machine boots up. You'll get a message on 
screen to the effect of "another computer with this name exists on the 
network." Since Samba works a little differently, you won't see a 
message like this unless you look in the logs (and your logging is set 
to an appropriate level).

This brings to mind two ideas for improving Samba:

- As part of its startup routine, Samba should check to see if there are 
any naming conflicts and refuse to start if there are (returning an 
error to the console so you know WHY it's not starting). Of course, if 
the other machine with that name is presently not on the network, no 
error would occur. An option could be added to allow operation where 
naming conflicts could occur, though the use of this option would be 
discouraged.

- As part of the 'net join' routine, Samba should check to see if the 
domain controller already has an account by that computer name, and if 
so, present a warning and a prompt to continue. ('A computer account 
with the name SAMBA already exists in the domain ABMAS. Replace account? 
(y/n) [n]') This would give Samba (even more) functionality that Windows 
doesn't do, and the administrator a sanity check before screwing 
something up. The default behaviour (if the admin just hits enter) 
should be to either re-ask the question, or assume "no" and not replace 
the account. If the answer is "no" then an error stating failure to join 
the domain should appear.

~Jonathan Johnson
Sutinen Consulting, Inc.
www.sutinen.com

More information about the samba mailing list