[Samba] Joining a domain controller with a conflict name

Tom Skeren tms3 at fsklaw.com
Thu Apr 14 12:09:08 GMT 2005


Jonathan Johnson wrote:

> Tom Skeren wrote:
>
>> Andrew Bartlett wrote:
>>
>>> On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote:
>>>
>>>> Did you mean that "Yes", there is a way to prevent joining a domain 
>>>> with
>>>> using  another server name or did you mean "Yes" that IT must make 
>>>> sure
>>>> the name is unique and no computer with this name is already part of
>>>> this domain when joining a domain.
>>>
>>>
>>> This is the sole responsibility of the IT department.  Like windows,
>>> Samba will use the name it is given.
>>>
>>> It is not possible to reliably determine the difference between a
>>> machine that is rejoining the domain (say after catastrophic hardware
>>> failure, or simply an failure in the trust account) and a duplicate
>>> machine, elsewhere in the domain.   
>>
>>
>> True.  However, if a machine named say SA1 is up and connected, and 
>> another SA1 shows up, a network error should occur.  Especially if  a 
>> WINS server is up.
>
>
> Again, this is the responsibility of the network administrator. That's 
> why a password is required to join a domain, so those who don't know 
> the password (read: your users) can't mess up your network. As an 
> administrator, it's your responsibility to make sure that a network 
> name conflict does not occur, by knowing if there's a machine with 
> THAT NAME on the network already.

Yes, that's all fine and good, except when the boss allows some visiting 
dignitary to plug his laptop into the ethernet port in the conferernce 
room, etc. 

>
> In a purely Windows world, a naming conflict will be detected on the 
> network as soon as the second machine boots up. You'll get a message 
> on screen to the effect of "another computer with this name exists on 
> the network." Since Samba works a little differently, you won't see a 
> message like this unless you look in the logs (and your logging is set 
> to an appropriate level).
>
> This brings to mind two ideas for improving Samba:
>
> - As part of its startup routine, Samba should check to see if there 
> are any naming conflicts and refuse to start if there are (returning 
> an error to the console so you know WHY it's not starting). Of course, 
> if the other machine with that name is presently not on the network, 
> no error would occur. An option could be added to allow operation 
> where naming conflicts could occur, though the use of this option 
> would be discouraged.
>
> - As part of the 'net join' routine, Samba should check to see if the 
> domain controller already has an account by that computer name, and if 
> so, present a warning and a prompt to continue. ('A computer account 
> with the name SAMBA already exists in the domain ABMAS. Replace 
> account? (y/n) [n]') This would give Samba (even more) functionality 
> that Windows doesn't do, and the administrator a sanity check before 
> screwing something up. The default behaviour (if the admin just hits 
> enter) should be to either re-ask the question, or assume "no" and not 
> replace the account. If the answer is "no" then an error stating 
> failure to join the domain should appear.
>
> ~Jonathan Johnson
> Sutinen Consulting, Inc.
> www.sutinen.com
>
>




More information about the samba mailing list