[Samba] Samba 4 "Trigger" when user is created???

Jeremy Allison jra at samba.org
Fri Nov 14 16:36:00 MST 2014 

On Sat, Nov 15, 2014 at 12:25:13PM +1300, Andrew Bartlett wrote:
> On Fri, 2014-11-14 at 14:17 -0800, Jeremy Allison wrote:
> > On Fri, Nov 14, 2014 at 10:40:16PM +1300, Andrew Bartlett wrote:
> > > On Wed, 2014-11-12 at 12:54 -0800, Greg Zartman wrote:
> > > > I am working to deploy Samba4 on the SME Server:  A customized version of
> > > > Centos with a web management GUI and configuration API.
> > > > 
> > > > One of the challenges we see is how we synchronize our SME Server
> > > > configuration API with users who are created using tools outside of *nix.
> > > > For example if a user were created using the windows administration tools.
> > > > 
> > > > Are there any triggers in Samba that could be set to let the system know a
> > > > new user was created by tools other than those provided by Samba?
> > > 
> > > We do some things internally when a new user is created - the samldb
> > > module is one of the (many) places we hook on, in our ldb module stack.
> > > But yes, we don't call out to an external script any more.  We also have
> > > to be a bit careful when doing so, as we would still be under the
> > > transaction lock. 
> > > 
> > > I agree we can improve in this area.  We wouldn't match AD any more -
> > > all the servers would have to be matching Samba servers - but we should
> > > do better.  Ideally we would re-use the existing option, to keep things
> > > consistent. 
> > 
> > Couldn't we just add the hook inside:
> > 
> > source4/rpc_server/samr/dcesrv_samr.c:dcesrv_samr_CreateUser2()
> > 
> > just before we return NT_STATUS_OK ?
> > 
> > That would be the old-school way to do it :-).
> 
> No, because that wouldn't catch anything (much) any more.  Most users
> (and by default, all machine accounts) are created against AD via the
> LDAP interface.
> 
> Additionally, we would have to make sure that anything that ran also
> behaved correctly when operated from:
>  - SAMR
>  - LDAP
>  - samba-tool
>  - Direct LDB access
>  - passdb-based tools (net, pdbedit, smbpasswd)
>  - DRS Replication from another AD server (should this be triggered, or
> not?)
> 
> As all would go via the same ldb module stack. 
> 
> Nothing impossible of course, just a bit more complex in the AD world.

Ah fair enough - thanks for the clarification Andrew !

More information about the samba mailing list