[Samba] Joining a domain controller with a conflict name

Andrew Bartlett abartlet at samba.org
Thu Apr 14 06:52:51 GMT 2005 

On Wed, 2005-04-13 at 23:40 -0700, Jonathan Johnson wrote:

> In a purely Windows world, a naming conflict will be detected on the 
> network as soon as the second machine boots up. You'll get a message on 
> screen to the effect of "another computer with this name exists on the 
> network." Since Samba works a little differently, you won't see a 
> message like this unless you look in the logs (and your logging is set 
> to an appropriate level).
> 
> This brings to mind two ideas for improving Samba:
> 
> - As part of its startup routine, Samba should check to see if there are 
> any naming conflicts and refuse to start if there are (returning an 
> error to the console so you know WHY it's not starting). Of course, if 
> the other machine with that name is presently not on the network, no 
> error would occur. An option could be added to allow operation where 
> naming conflicts could occur, though the use of this option would be 
> discouraged.

Except then you can Denial Of Service the Samba server simply with a
rouge laptop (and a known reboot, such as a paperclip in the right power
point...)

> - As part of the 'net join' routine, Samba should check to see if the 
> domain controller already has an account by that computer name, and if 
> so, present a warning and a prompt to continue. ('A computer account 
> with the name SAMBA already exists in the domain ABMAS. Replace account? 
> (y/n) [n]') 

I would be wary of changing the behaviour of 'net join', as various NAS
vendors in particular use scripts to control this behaviour.  However
feel free to file an enhancement request in bugzilla.

> This would give Samba (even more) functionality that Windows 
> doesn't do, and the administrator a sanity check before screwing 
> something up. The default behaviour (if the admin just hits enter) 
> should be to either re-ask the question, or assume "no" and not replace 
> the account. If the answer is "no" then an error stating failure to join 
> the domain should appear.

I'm skeptical, mostly because this is not reliable:
 - Lots of 'old' accounts exist in these databases, in my experience
 - We often rejoin machines because the account fails
 - If we were to do a netbios lookup for the offending machine, we would
simply hit issues of Netbios scope and firewalls.

That is - do we gain by a check that the admin will regularly get a
'duplicate account detected' warning for, and know just to ignore it?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050414/9a48a42e/attachment.bin

More information about the samba mailing list