samba - May 2002 - Can I kill... 'add user script' behaviour in adding users during logon?

The behavior of the 'add user script' smb.conf option is rather weird:

It is documented as an option to the login parts of the protocol, and
used to add users dynamically during the logon process, if they don't
exist locally.

However, it is also used in the SAMR code when an admin explicitly
creates a user.  This is
actually the more natural use for the parameter, but it is unnaturally
shared between the
two areas.

This 'dual use' causes problems - unexpected users being created etc.  

However, this is nothing compared to its evil twin:

'delete user script' runs when a user attempts to log in, but the PDC
says that they don't exist.  Firstly:  does this really happen?  If a
user has to attempt to log in to trigger it, what exactly is the
point... This also has rather nasty consequences, when the user does not
exist on the PDC (normal local user etc), the script can fire.  If the
admin is not careful this can be quite nasty.  While this is documented,
it is still nasty.

Whats more, all the PDC documentation refers to these options for their
SAMR use, so as to 
create machine accounts on demand...  

Now both of these options are *too* easy to misconfigure, and they
really don't fit well into the HEAD authenticiaon setup anyway.

Could these be killed in the auth context?  This would leave them as
SAMR commands, for when 
users are really added to the system.

If we still need the capability to add users to the system on a dynamic
basis (this is really the job of winbind, but I digress) could we at
least use a different option?    Like 'dynamic login user add script'? 
Or keep these but rename the SAMR meanings?

What do you think?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

I agree, they must be separate and delete user script, must NOT be
called by the auth subsystem, it is too dangerous.

Simo.

On Fri, 2002-05-17 at 15:22, Andrew Bartlett wrote:
> The behavior of the 'add user script' smb.conf option is rather
weird:
> 
> It is documented as an option to the login parts of the protocol, and
> used to add users dynamically during the logon process, if they don't
> exist locally.
> 
> However, it is also used in the SAMR code when an admin explicitly
> creates a user.  This is
> actually the more natural use for the parameter, but it is unnaturally
> shared between the
> two areas.
> 
> This 'dual use' causes problems - unexpected users being created
etc.
> 
> However, this is nothing compared to its evil twin:
> 
> 'delete user script' runs when a user attempts to log in, but the
PDC
> says that they don't exist.  Firstly:  does this really happen?  If a
> user has to attempt to log in to trigger it, what exactly is the
> point... This also has rather nasty consequences, when the user does not
> exist on the PDC (normal local user etc), the script can fire.  If the
> admin is not careful this can be quite nasty.  While this is documented,
> it is still nasty.
> 
> Whats more, all the PDC documentation refers to these options for their
> SAMR use, so as to 
> create machine accounts on demand...  
> 
> Now both of these options are *too* easy to misconfigure, and they
> really don't fit well into the HEAD authenticiaon setup anyway.
> 
> Could these be killed in the auth context?  This would leave them as
> SAMR commands, for when 
> users are really added to the system.
> 
> If we still need the capability to add users to the system on a dynamic
> basis (this is really the job of winbind, but I digress) could we at
> least use a different option?    Like 'dynamic login user add
script'?
> Or keep these but rename the SAMR meanings?
> 
> What do you think?
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 abartlet@pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
> Student Network Administrator, Hawker College   abartlet@hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
> 
-- 
Simo Sorce
----------
Una scelta di liberta': Software Libero.
A choice of freedom: Free Software.
http://www.softwarelibero.it

On Fri, May 17, 2002 at 11:22:49PM +1000, Andrew Bartlett
wrote:
> 'delete user script' runs when a user attempts to log in, but the
PDC
> says that they don't exist.  Firstly:  does this really happen?  If a
Yes, obviously. I once was called to a machine that went completely wild. It
would not really boot anymore. There was no 'root' in /etc/passwd :-(. I
could
not see how that happened, but they had a 'delete user script'
activated.
> Could these be killed in the auth context?  This would leave them as
> SAMR commands, for when 
> users are really added to the system.
> 
> If we still need the capability to add users to the system on a dynamic
> basis (this is really the job of winbind, but I digress) could we at
> least use a different option?    Like 'dynamic login user add
script'?
> Or keep these but rename the SAMR meanings?
Not sure. Optionitis striking again. But I think that the dynamic user adding
upon session setup is a bad hack anyway.

For compatibility: 2 new options: 'samr add user script' and
'dynamic add user
script', and mark 'add user script' as deprecated? These are really
two
functions and should be treated as such in the future.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20020517/d209a08e/attachment.bin

On Fri, May 17, 2002 at 05:22:06PM +0200, Volker Lendecke
wrote:
> Not sure. Optionitis striking again. But I think that the dynamic user
adding
> upon session setup is a bad hack anyway.
Or another idea: Add a %-Macro to tell the script which subsystem did it?

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20020517/624f977d/attachment.bin