Hi All, Is it a way to prevent joining a domain with a netbios name that already used by other domain member?. For example, if I have SAMBA server "SA1" already joined a domain and then I go to a different SAMBA server and make it join the same domain with the name "SA1" also. What I found out is that the domain controller does not care and it will let me join the domain but of course the first SAMBA server lost its trust and cannot access the domain controller. Of course, in ADS case, if the name must be in DNS first, it will never happen but when joining in with DOMAIN type, I can see scenarios when it could happen. I appreciate any idea how to prevent a server from not stepping on another server when joining a domain. Is it the responsibility of the IT person to make sure the name is unique? Cheers, Ephi
Andrew Bartlett
2005-Apr-13 22:51 UTC
[Samba] Joining a domain controller with a conflict name
On Wed, 2005-04-13 at 15:40 -0700, Ephi Dror wrote:> Hi All, > > Is it a way to prevent joining a domain with a netbios name that already > used by other domain member?.> Is it the responsibility of the IT person to make sure the name is > unique?Yes. Otherwise it would not be possible to simply 'rejoin' the domain when a server is rebuilt, for example. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050414/fed0d248/attachment.bin
Hi Andrew, Thanks Andrew for your reply. I was not quite understood one thing. Did you mean that "Yes", there is a way to prevent joining a domain with using another server name or did you mean "Yes" that IT must make sure the name is unique and no computer with this name is already part of this domain when joining a domain. If you meant Yes, there is a way to prevent joining a domain controller with someone else name, how do we contact the domain we want to join and ask it to give us the list of computers in the domain or ask it if a particular computer is already in the list. Also, if a computer XYZ is already in the domain, I think the domain controller has no way to know if this computer is still alive and so on. I know it is not a big deal for the computer that its trust with the domain has been stolen by another computer to rejoin and gain access to the domain but if it does it, guess what, he will make the other computer loose its trust with the domain. So if two computers try to keep on using the same name when joining a domain, they will keep on making the "other" computer rejoining so they both will keep on rejoining all day. Cheers, Phi -----Original Message----- From: Andrew Bartlett [mailto:abartlet@samba.org] Sent: Wednesday, April 13, 2005 3:52 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: Re: [Samba] Joining a domain controller with a conflict name On Wed, 2005-04-13 at 15:40 -0700, Ephi Dror wrote:> Hi All, > > Is it a way to prevent joining a domain with a netbios name that > already used by other domain member?.> Is it the responsibility of the IT person to make sure the name is > unique?Yes. Otherwise it would not be possible to simply 'rejoin' the domain when a server is rebuilt, for example. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Andrew Bartlett
2005-Apr-13 23:51 UTC
[Samba] Joining a domain controller with a conflict name
On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote:> Hi Andrew, > > Thanks Andrew for your reply. > > I was not quite understood one thing. > > Did you mean that "Yes", there is a way to prevent joining a domain with > using another server name or did you mean "Yes" that IT must make sure > the name is unique and no computer with this name is already part of > this domain when joining a domain.This is the sole responsibility of the IT department. Like windows, Samba will use the name it is given. It is not possible to reliably determine the difference between a machine that is rejoining the domain (say after catastrophic hardware failure, or simply an failure in the trust account) and a duplicate machine, elsewhere in the domain. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050414/a6887668/attachment.bin
Andrew Bartlett wrote:>On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote: > > >>Hi Andrew, >> >>Thanks Andrew for your reply. >> >>I was not quite understood one thing. >> >>Did you mean that "Yes", there is a way to prevent joining a domain with >>using another server name or did you mean "Yes" that IT must make sure >>the name is unique and no computer with this name is already part of >>this domain when joining a domain. >> >> > >This is the sole responsibility of the IT department. Like windows, >Samba will use the name it is given. > >It is not possible to reliably determine the difference between a >machine that is rejoining the domain (say after catastrophic hardware >failure, or simply an failure in the trust account) and a duplicate >machine, elsewhere in the domain. > >True. However, if a machine named say SA1 is up and connected, and another SA1 shows up, a network error should occur. Especially if a WINS server is up.>Andrew Bartlett > > >
Hi everyone, Well, I think more enhancements to net join would be great, of course, it would not solve all possible issues but it may cover more cases. I also agree with Andrew regarding "computers list" in AD. Due to so much testing we do, we also have many "dead" computer accounts which of course taking on of those dead names will not be a problem however taking a "live" name of someone else computer will make that guy unhappy and if you take one of your server's name you make that system un trusted by the domain and as a result of it many other clients can be effected by it. It might be windows bug, if they fail to create you a computer account with a name already there it could solve this problem, it will make the computers list more up to date also since you will have to remove dead account in order to reuse its name. It would be nice if we enhance join domain process to what Windows does or NetApp does, they try first Active Directory and if it fails they try NT4 style, they try to discover domain controllers and so on. I know it is not easy for us since we edit smb.conf ahead of time but maybe in the future we should allow SAMBA itself to adjust smb.conf on the fly... One me thing I found lately that even when join domain succeed, it takes few seconds for some domain to actually create the computer account and if you don't wait and try "testjoin" it will fail. I would recommend to add "testjoin" phase into join domain. Thanks everyone who participate in this discussion I think as we try in SAMBA 4 to be as compatible as possible to WINDOWS we can also try to make the configuration management of it also be as easy as windows try to do. Cheers, Ephi -----Original Message----- From: Jonathan Johnson [mailto:jon@sutinen.com] Sent: Thursday, April 14, 2005 8:15 AM To: Tom Skeren Cc: Andrew Bartlett; samba@lists.samba.org; Ephi Dror Subject: Re: [Samba] Joining a domain controller with a conflict name Tom Skeren wrote:> Jonathan Johnson wrote: > >> Again, this is the responsibility of the network administrator. >> That's why a password is required to join a domain, so those who >> don't know the password (read: your users) can't mess up your >> network. As an administrator, it's your responsibility to make sure >> that a network name conflict does not occur, by knowing if there's a >> machine with THAT NAME on the network already. > > Yes, that's all fine and good, except when the boss allows some > visiting dignitary to plug his laptop into the ethernet port in the > conferernce room, etc.Ah, office politics. So this means, to avoid offending the visiting dignitary, we cannot ask him to rename his machine, but rather we must rename our domain controller? :-) I suppose for this reason, it's good to have "public access" ports and wireless access points on a firewalled subnet. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com