Re: [Samba] Joining a domain controller with a conflict name
Tom Skeren wrote: Jonathan Johnson wrote: Again, this is the responsibility of the network administrator. That's why a password is required to join a domain, so those who don't know the password (read: your users) can't mess up your network. As an administrator, it's your responsibility to make sure that a network name conflict does not occur, by knowing if there's a machine with THAT NAME on the network already. Yes, that's all fine and good, except when the boss allows some visiting dignitary to plug his laptop into the ethernet port in the conferernce room, etc. That's why you should use DHCP with static address assignments. If you allow foreign machines on sensitive networks, then you will soon get what you deserve. Make "guest" ports available on a network separate from your private network for visitors to browse the Internet and read mail, etc ... Regards, Ray -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Joining a domain controller with a conflict name
Hi everyone, Well, I think more enhancements to net join would be great, of course, it would not solve all possible issues but it may cover more cases. I also agree with Andrew regarding "computers list" in AD. Due to so much testing we do, we also have many "dead" computer accounts which of course taking on of those dead names will not be a problem however taking a "live" name of someone else computer will make that guy unhappy and if you take one of your server's name you make that system un trusted by the domain and as a result of it many other clients can be effected by it. It might be windows bug, if they fail to create you a computer account with a name already there it could solve this problem, it will make the computers list more up to date also since you will have to remove dead account in order to reuse its name. It would be nice if we enhance join domain process to what Windows does or NetApp does, they try first Active Directory and if it fails they try NT4 style, they try to discover domain controllers and so on. I know it is not easy for us since we edit smb.conf ahead of time but maybe in the future we should allow SAMBA itself to adjust smb.conf on the fly... One me thing I found lately that even when join domain succeed, it takes few seconds for some domain to actually create the computer account and if you don't wait and try "testjoin" it will fail. I would recommend to add "testjoin" phase into join domain. Thanks everyone who participate in this discussion I think as we try in SAMBA 4 to be as compatible as possible to WINDOWS we can also try to make the configuration management of it also be as easy as windows try to do. Cheers, Ephi -Original Message- From: Jonathan Johnson [mailto:[EMAIL PROTECTED] Sent: Thursday, April 14, 2005 8:15 AM To: Tom Skeren Cc: Andrew Bartlett; samba@lists.samba.org; Ephi Dror Subject: Re: [Samba] Joining a domain controller with a conflict name Tom Skeren wrote: > Jonathan Johnson wrote: > >> Again, this is the responsibility of the network administrator. >> That's why a password is required to join a domain, so those who >> don't know the password (read: your users) can't mess up your >> network. As an administrator, it's your responsibility to make sure >> that a network name conflict does not occur, by knowing if there's a >> machine with THAT NAME on the network already. > > Yes, that's all fine and good, except when the boss allows some > visiting dignitary to plug his laptop into the ethernet port in the > conferernce room, etc. Ah, office politics. So this means, to avoid offending the visiting dignitary, we cannot ask him to rename his machine, but rather we must rename our domain controller? :-) I suppose for this reason, it's good to have "public access" ports and wireless access points on a firewalled subnet. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain controller with a conflict name
Tom Skeren wrote: Jonathan Johnson wrote: Again, this is the responsibility of the network administrator. That's why a password is required to join a domain, so those who don't know the password (read: your users) can't mess up your network. As an administrator, it's your responsibility to make sure that a network name conflict does not occur, by knowing if there's a machine with THAT NAME on the network already. Yes, that's all fine and good, except when the boss allows some visiting dignitary to plug his laptop into the ethernet port in the conferernce room, etc. Ah, office politics. So this means, to avoid offending the visiting dignitary, we cannot ask him to rename his machine, but rather we must rename our domain controller? :-) I suppose for this reason, it's good to have "public access" ports and wireless access points on a firewalled subnet. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain controller with a conflict name
Jonathan Johnson wrote: Tom Skeren wrote: Andrew Bartlett wrote: On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote: Did you mean that "Yes", there is a way to prevent joining a domain with using another server name or did you mean "Yes" that IT must make sure the name is unique and no computer with this name is already part of this domain when joining a domain. This is the sole responsibility of the IT department. Like windows, Samba will use the name it is given. It is not possible to reliably determine the difference between a machine that is rejoining the domain (say after catastrophic hardware failure, or simply an failure in the trust account) and a duplicate machine, elsewhere in the domain. True. However, if a machine named say SA1 is up and connected, and another SA1 shows up, a network error should occur. Especially if a WINS server is up. Again, this is the responsibility of the network administrator. That's why a password is required to join a domain, so those who don't know the password (read: your users) can't mess up your network. As an administrator, it's your responsibility to make sure that a network name conflict does not occur, by knowing if there's a machine with THAT NAME on the network already. Yes, that's all fine and good, except when the boss allows some visiting dignitary to plug his laptop into the ethernet port in the conferernce room, etc. In a purely Windows world, a naming conflict will be detected on the network as soon as the second machine boots up. You'll get a message on screen to the effect of "another computer with this name exists on the network." Since Samba works a little differently, you won't see a message like this unless you look in the logs (and your logging is set to an appropriate level). This brings to mind two ideas for improving Samba: - As part of its startup routine, Samba should check to see if there are any naming conflicts and refuse to start if there are (returning an error to the console so you know WHY it's not starting). Of course, if the other machine with that name is presently not on the network, no error would occur. An option could be added to allow operation where naming conflicts could occur, though the use of this option would be discouraged. - As part of the 'net join' routine, Samba should check to see if the domain controller already has an account by that computer name, and if so, present a warning and a prompt to continue. ('A computer account with the name SAMBA already exists in the domain ABMAS. Replace account? (y/n) [n]') This would give Samba (even more) functionality that Windows doesn't do, and the administrator a sanity check before screwing something up. The default behaviour (if the admin just hits enter) should be to either re-ask the question, or assume "no" and not replace the account. If the answer is "no" then an error stating failure to join the domain should appear. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain controller with a conflict name
On Wed, 2005-04-13 at 23:40 -0700, Jonathan Johnson wrote: > In a purely Windows world, a naming conflict will be detected on the > network as soon as the second machine boots up. You'll get a message on > screen to the effect of "another computer with this name exists on the > network." Since Samba works a little differently, you won't see a > message like this unless you look in the logs (and your logging is set > to an appropriate level). > > This brings to mind two ideas for improving Samba: > > - As part of its startup routine, Samba should check to see if there are > any naming conflicts and refuse to start if there are (returning an > error to the console so you know WHY it's not starting). Of course, if > the other machine with that name is presently not on the network, no > error would occur. An option could be added to allow operation where > naming conflicts could occur, though the use of this option would be > discouraged. Except then you can Denial Of Service the Samba server simply with a rouge laptop (and a known reboot, such as a paperclip in the right power point...) > - As part of the 'net join' routine, Samba should check to see if the > domain controller already has an account by that computer name, and if > so, present a warning and a prompt to continue. ('A computer account > with the name SAMBA already exists in the domain ABMAS. Replace account? > (y/n) [n]') I would be wary of changing the behaviour of 'net join', as various NAS vendors in particular use scripts to control this behaviour. However feel free to file an enhancement request in bugzilla. > This would give Samba (even more) functionality that Windows > doesn't do, and the administrator a sanity check before screwing > something up. The default behaviour (if the admin just hits enter) > should be to either re-ask the question, or assume "no" and not replace > the account. If the answer is "no" then an error stating failure to join > the domain should appear. I'm skeptical, mostly because this is not reliable: - Lots of 'old' accounts exist in these databases, in my experience - We often rejoin machines because the account fails - If we were to do a netbios lookup for the offending machine, we would simply hit issues of Netbios scope and firewalls. That is - do we gain by a check that the admin will regularly get a 'duplicate account detected' warning for, and know just to ignore it? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain controller with a conflict name
Tom Skeren wrote: Andrew Bartlett wrote: On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote: Did you mean that "Yes", there is a way to prevent joining a domain with using another server name or did you mean "Yes" that IT must make sure the name is unique and no computer with this name is already part of this domain when joining a domain. This is the sole responsibility of the IT department. Like windows, Samba will use the name it is given. It is not possible to reliably determine the difference between a machine that is rejoining the domain (say after catastrophic hardware failure, or simply an failure in the trust account) and a duplicate machine, elsewhere in the domain. True. However, if a machine named say SA1 is up and connected, and another SA1 shows up, a network error should occur. Especially if a WINS server is up. Again, this is the responsibility of the network administrator. That's why a password is required to join a domain, so those who don't know the password (read: your users) can't mess up your network. As an administrator, it's your responsibility to make sure that a network name conflict does not occur, by knowing if there's a machine with THAT NAME on the network already. In a purely Windows world, a naming conflict will be detected on the network as soon as the second machine boots up. You'll get a message on screen to the effect of "another computer with this name exists on the network." Since Samba works a little differently, you won't see a message like this unless you look in the logs (and your logging is set to an appropriate level). This brings to mind two ideas for improving Samba: - As part of its startup routine, Samba should check to see if there are any naming conflicts and refuse to start if there are (returning an error to the console so you know WHY it's not starting). Of course, if the other machine with that name is presently not on the network, no error would occur. An option could be added to allow operation where naming conflicts could occur, though the use of this option would be discouraged. - As part of the 'net join' routine, Samba should check to see if the domain controller already has an account by that computer name, and if so, present a warning and a prompt to continue. ('A computer account with the name SAMBA already exists in the domain ABMAS. Replace account? (y/n) [n]') This would give Samba (even more) functionality that Windows doesn't do, and the administrator a sanity check before screwing something up. The default behaviour (if the admin just hits enter) should be to either re-ask the question, or assume "no" and not replace the account. If the answer is "no" then an error stating failure to join the domain should appear. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain controller with a conflict name
Andrew Bartlett wrote: On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote: Hi Andrew, Thanks Andrew for your reply. I was not quite understood one thing. Did you mean that "Yes", there is a way to prevent joining a domain with using another server name or did you mean "Yes" that IT must make sure the name is unique and no computer with this name is already part of this domain when joining a domain. This is the sole responsibility of the IT department. Like windows, Samba will use the name it is given. It is not possible to reliably determine the difference between a machine that is rejoining the domain (say after catastrophic hardware failure, or simply an failure in the trust account) and a duplicate machine, elsewhere in the domain. True. However, if a machine named say SA1 is up and connected, and another SA1 shows up, a network error should occur. Especially if a WINS server is up. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Joining a domain controller with a conflict name
On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote: > Hi Andrew, > > Thanks Andrew for your reply. > > I was not quite understood one thing. > > Did you mean that "Yes", there is a way to prevent joining a domain with > using another server name or did you mean "Yes" that IT must make sure > the name is unique and no computer with this name is already part of > this domain when joining a domain. This is the sole responsibility of the IT department. Like windows, Samba will use the name it is given. It is not possible to reliably determine the difference between a machine that is rejoining the domain (say after catastrophic hardware failure, or simply an failure in the trust account) and a duplicate machine, elsewhere in the domain. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Joining a domain controller with a conflict name
Hi Andrew, Thanks Andrew for your reply. I was not quite understood one thing. Did you mean that "Yes", there is a way to prevent joining a domain with using another server name or did you mean "Yes" that IT must make sure the name is unique and no computer with this name is already part of this domain when joining a domain. If you meant Yes, there is a way to prevent joining a domain controller with someone else name, how do we contact the domain we want to join and ask it to give us the list of computers in the domain or ask it if a particular computer is already in the list. Also, if a computer XYZ is already in the domain, I think the domain controller has no way to know if this computer is still alive and so on. I know it is not a big deal for the computer that its trust with the domain has been stolen by another computer to rejoin and gain access to the domain but if it does it, guess what, he will make the other computer loose its trust with the domain. So if two computers try to keep on using the same name when joining a domain, they will keep on making the "other" computer rejoining so they both will keep on rejoining all day. Cheers, Phi -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 13, 2005 3:52 PM To: Ephi Dror Cc: samba@lists.samba.org Subject: Re: [Samba] Joining a domain controller with a conflict name On Wed, 2005-04-13 at 15:40 -0700, Ephi Dror wrote: > Hi All, > > Is it a way to prevent joining a domain with a netbios name that > already used by other domain member?. > Is it the responsibility of the IT person to make sure the name is > unique? Yes. Otherwise it would not be possible to simply 'rejoin' the domain when a server is rebuilt, for example. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain controller with a conflict name
On Wed, 2005-04-13 at 15:40 -0700, Ephi Dror wrote: > Hi All, > > Is it a way to prevent joining a domain with a netbios name that already > used by other domain member?. > Is it the responsibility of the IT person to make sure the name is > unique? Yes. Otherwise it would not be possible to simply 'rejoin' the domain when a server is rebuilt, for example. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba