[Samba] Samba 4 "Trigger" when user is created???
jra at samba.org
Fri Nov 14 16:36:00 MST 2014
On Sat, Nov 15, 2014 at 12:25:13PM +1300, Andrew Bartlett wrote:
> On Fri, 2014-11-14 at 14:17 -0800, Jeremy Allison wrote:
> > On Fri, Nov 14, 2014 at 10:40:16PM +1300, Andrew Bartlett wrote:
> > > On Wed, 2014-11-12 at 12:54 -0800, Greg Zartman wrote:
> > > > I am working to deploy Samba4 on the SME Server: A customized version of
> > > > Centos with a web management GUI and configuration API.
> > > >
> > > > One of the challenges we see is how we synchronize our SME Server
> > > > configuration API with users who are created using tools outside of *nix.
> > > > For example if a user were created using the windows administration tools.
> > > >
> > > > Are there any triggers in Samba that could be set to let the system know a
> > > > new user was created by tools other than those provided by Samba?
> > >
> > > We do some things internally when a new user is created - the samldb
> > > module is one of the (many) places we hook on, in our ldb module stack.
> > > But yes, we don't call out to an external script any more. We also have
> > > to be a bit careful when doing so, as we would still be under the
> > > transaction lock.
> > >
> > > I agree we can improve in this area. We wouldn't match AD any more -
> > > all the servers would have to be matching Samba servers - but we should
> > > do better. Ideally we would re-use the existing option, to keep things
> > > consistent.
> > Couldn't we just add the hook inside:
> > source4/rpc_server/samr/dcesrv_samr.c:dcesrv_samr_CreateUser2()
> > just before we return NT_STATUS_OK ?
> > That would be the old-school way to do it :-).
> No, because that wouldn't catch anything (much) any more. Most users
> (and by default, all machine accounts) are created against AD via the
> LDAP interface.
> Additionally, we would have to make sure that anything that ran also
> behaved correctly when operated from:
> - SAMR
> - LDAP
> - samba-tool
> - Direct LDB access
> - passdb-based tools (net, pdbedit, smbpasswd)
> - DRS Replication from another AD server (should this be triggered, or
> As all would go via the same ldb module stack.
> Nothing impossible of course, just a bit more complex in the AD world.
Ah fair enough - thanks for the clarification Andrew !
More information about the samba